Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Versions of crypto-ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as more as yet unnamed malware, not only encrypt on-line data but also infect any available system protection. Data synchronized to cloud environments can also be corrupted. In a poorly designed data protection solution, it can render any restoration useless and effectively knocks the network back to zero.

Recovering applications and information following a crypto-ransomware attack becomes a race against time as the victim tries its best to stop the spread and cleanup the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware needs time to replicate, assaults are frequently launched on weekends and holidays, when penetrations are likely to take longer to recognize. This multiplies the difficulty of quickly marshalling and orchestrating a capable response team.

Progent makes available an assortment of help services for protecting organizations from ransomware events. These include user education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with machine learning capabilities to rapidly detect and suppress zero-day cyber threats. Progent also can provide the assistance of seasoned ransomware recovery engineers with the talent and commitment to re-deploy a compromised environment as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the codes to decrypt any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the key parts of your Information Technology environment. Absent access to full system backups, this requires a wide range of skill sets, professional team management, and the ability to work 24x7 until the recovery project is finished.

For twenty years, Progent has made available certified expert IT services for companies in Reno and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded top certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise affords Progent the capability to efficiently understand important systems and organize the remaining pieces of your IT environment after a ransomware penetration and configure them into a functioning network.

Progent's security group has powerful project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of acting rapidly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to put essential services back on-line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Response
A small business escalated to Progent after their organization was crashed by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, suspected of adopting technology leaked from Americaís National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has about 500 employees. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's data backups had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately utilized Progent.


"I cannot say enough about the support Progent gave us during the most stressful time of (our) businesses life. We most likely would have paid the criminal gangs if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and production applications back in less than one week was earth shattering. Each consultant I got help from or communicated with at Progent was laser focused on getting us back online and was working non-stop to bail us out."

Progent worked together with the client to rapidly determine and assign priority to the key elements that had to be restored to make it possible to restart company functions:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus incident response industry best practices by isolating and removing active viruses. Progent then began the task of recovering Microsoft Active Directory, the heart of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not function without Windows AD, and the client's accounting and MRP applications leveraged Microsoft SQL, which depends on Active Directory services for security authorization to the information.

Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then accomplished reinstallations and storage recovery on key servers. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on user workstations to recover email information. A recent off-line backup of the businesses financials/ERP software made them able to recover these required programs back on-line. Although significant work was left to recover fully from the Ryuk virus, core services were recovered rapidly:


"For the most part, the production line operation survived unscathed and we produced all customer shipments."

Throughout the following month critical milestones in the recovery project were accomplished through close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Server containing more than 4 million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the desktop computers were functioning as before the incident.

"A huge amount of what was accomplished in the initial days is nearly entirely a blur for me, but we will not forget the urgency each and every one of you put in to help get our company back. I have utilized Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This event was a stunning achievement."

Conclusion
A possible business extinction catastrophe was avoided with results-oriented professionals, a broad array of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware penetration described here could have been blocked with modern cyber security technology and NIST Cybersecurity Framework best practices, team training, and properly executed security procedures for information backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for making it so I could get some sleep after we got through the initial push. Everyone did an incredible job, and if anyone is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Reno a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation machine learning technology to uncover new variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to automate the entire threat progression including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable non-disruptive backup and rapid recovery of critical files/folders, apps, system images, plus virtual machines. ProSight DPS lets you protect against data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, malicious insiders, or application bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, optimize and troubleshoot their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that network maps are always updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to keep your network operating at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management staff and your Progent consultant so all looming issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based machine learning tools to guard endpoint devices as well as servers and VMs against new malware assaults like ransomware and email phishing, which easily get by traditional signature-based AV tools. Progent ASM services protect local and cloud-based resources and offers a single platform to manage the complete threat progression including protection, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Support Center services allow your information technology team to offload Call Center services to Progent or divide activity for support services seamlessly between your in-house network support group and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent extension of your in-house support resources. End user interaction with the Help Desk, provision of support, problem escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether issues are taken care of by your corporate network support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide businesses of any size a versatile and affordable solution for assessing, validating, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. Besides optimizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your IT team to focus on line-of-business initiatives and activities that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a protected online account and enter your password you are requested to confirm who you are on a unit that only you have and that uses a separate network channel. A wide range of devices can be utilized as this added means of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate several validation devices. To learn more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Reno 24-Hour Crypto-Ransomware Removal Consultants, call Progent at 800-462-8800 or go to Contact Progent.