Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict harm. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with additional unnamed newcomers, not only encrypt on-line data files but also infect any configured system backups. Data synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, it can render automated recovery useless and basically knocks the datacenter back to square one.

Retrieving services and data after a crypto-ransomware event becomes a sprint against time as the targeted business tries its best to contain and eradicate the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are frequently launched on weekends and holidays, when attacks are likely to take longer to recognize. This multiplies the difficulty of quickly mobilizing and orchestrating a capable response team.

Progent provides a variety of help services for securing enterprises from ransomware events. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with artificial intelligence technology from SentinelOne to discover and disable new threats rapidly. Progent in addition provides the services of experienced ransomware recovery engineers with the skills and perseverance to rebuild a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the keys to decrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the critical elements of your IT environment. Without access to full system backups, this requires a broad range of skill sets, top notch team management, and the willingness to work non-stop until the job is completed.

For decades, Progent has provided professional Information Technology services for companies in Santos and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to efficiently identify important systems and integrate the remaining components of your computer network system following a ransomware event and rebuild them into a functioning system.

Progent's ransomware team has state-of-the-art project management systems to orchestrate the complex recovery process. Progent understands the importance of working rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to put the most important systems back on line as fast as possible.

Customer Case Study: A Successful Ransomware Incident Restoration
A business hired Progent after their company was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, possibly using strategies leaked from the United States NSA organization. Ryuk attacks specific organizations with limited tolerance for operational disruption and is among the most lucrative incarnations of ransomware viruses. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot speak enough about the support Progent provided us during the most stressful time of (our) company's survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent team afforded us. The fact that you could get our e-mail system and critical servers back online quicker than one week was amazing. Each expert I interacted with or e-mailed at Progent was urgently focused on getting my company operational and was working all day and night on our behalf."

Progent worked together with the customer to quickly determine and prioritize the mission critical systems that needed to be recovered in order to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • MRP System
To begin, Progent adhered to ransomware incident response industry best practices by halting lateral movement and removing active viruses. Progent then started the task of restoring Windows Active Directory, the key technology of enterprise networks built upon Microsoft technology. Exchange messaging will not operate without AD, and the customer's accounting and MRP system utilized Microsoft SQL, which depends on Active Directory services for access to the databases.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery of essential systems. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on user PCs in order to recover mail data. A recent off-line backup of the customer's financials/MRP software made it possible to restore these vital programs back online for users. Although major work needed to be completed to recover totally from the Ryuk virus, core systems were recovered quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer deliverables."

Throughout the next couple of weeks key milestones in the restoration project were made in close cooperation between Progent team members and the client:

  • In-house web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • 90% of the user PCs were being used by staff.

"Much of what occurred that first week is nearly entirely a haze for me, but we will not soon forget the commitment each of you put in to help get our business back. I've trusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A possible enterprise-killing disaster was avoided through the efforts of dedicated professionals, a broad spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here could have been disabled with current security technology and security best practices, team training, and well designed incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we got past the first week. All of you did an impressive effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Santos a range of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to uncover new variants of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based AV products. ProSight ASM protects local and cloud resources and offers a single platform to manage the complete threat lifecycle including filtering, detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP deployment that addresses your company's unique requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your data backup processes and allow non-disruptive backup and rapid restoration of critical files, applications, images, plus VMs. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural disasters, fire, cyber attacks like ransomware, human error, malicious insiders, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security companies to provide centralized control and comprehensive protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, monitor, optimize and debug their networking appliances such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration of almost all devices on your network, monitors performance, and sends alerts when issues are detected. By automating time-consuming network management processes, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding devices that need critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so that all looming problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to address the complete threat lifecycle including protection, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Support Center services enable your IT group to outsource Help Desk services to Progent or divide responsibilities for support services seamlessly between your in-house support group and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your in-house IT support staff. End user access to the Help Desk, delivery of support, escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the service database are consistent regardless of whether issues are resolved by your internal network support organization, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and affordable alternative for assessing, testing, scheduling, applying, and tracking updates to your ever-evolving information system. In addition to optimizing the protection and reliability of your IT environment, Progent's patch management services permit your IT staff to focus on more strategic projects and activities that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected online account and give your password you are asked to verify who you are via a unit that only you have and that uses a separate network channel. A wide range of devices can be used for this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. For more information about Duo identity validation services, refer to Duo MFA two-factor authentication services for access security.
For Santos 24-Hour Crypto Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.