Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that presents an extinction-level danger for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause destruction. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus daily as yet unnamed newcomers, not only encrypt on-line data files but also infiltrate any accessible system backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can make any recovery useless and basically sets the datacenter back to zero.

Retrieving programs and information following a ransomware event becomes a race against the clock as the targeted business fights to contain the damage and remove the ransomware and to restore mission-critical activity. Since ransomware takes time to spread, attacks are often launched during weekends and nights, when successful penetrations typically take more time to detect. This multiplies the difficulty of rapidly marshalling and organizing a knowledgeable mitigation team.

Progent has a range of services for securing organizations from crypto-ransomware events. Among these are staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with machine learning technology to automatically identify and disable zero-day cyber attacks. Progent in addition provides the services of veteran crypto-ransomware recovery professionals with the track record and commitment to reconstruct a compromised system as soon as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, sending the ransom in cryptocurrency does not ensure that cyber hackers will provide the codes to decrypt all your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000. The other path is to setup from scratch the vital elements of your IT environment. Without access to essential system backups, this requires a broad range of IT skills, top notch project management, and the capability to work non-stop until the job is completed.

For twenty years, Progent has provided professional Information Technology services for companies in Adelaide and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of expertise provides Progent the capability to rapidly ascertain necessary systems and integrate the remaining pieces of your Information Technology system after a ransomware event and configure them into a functioning network.

Progent's ransomware group has best of breed project management tools to orchestrate the complex restoration process. Progent appreciates the urgency of working quickly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to put critical services back on-line as soon as possible.

Client Story: A Successful Crypto-Ransomware Incident Restoration
A business hired Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored criminal gangs, possibly using technology leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little ability to sustain operational disruption and is among the most profitable instances of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk attack had paralyzed all business operations and manufacturing processes. Most of the client's backups had been online at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200K) and praying for good luck, but in the end brought in Progent.


"I cannot tell you enough about the help Progent provided us during the most fearful time of (our) companyís life. We most likely would have paid the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and production applications back on-line in less than one week was incredible. Each expert I interacted with or e-mailed at Progent was urgently focused on getting our system up and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly understand and prioritize the critical applications that had to be addressed in order to restart departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent adhered to ransomware penetration response best practices by halting the spread and clearing up compromised systems. Progent then started the work of restoring Microsoft AD, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the client's accounting and MRP software used Microsoft SQL, which requires Active Directory for security authorization to the data.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed setup and storage recovery of key systems. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Offline Data Files) on staff desktop computers to recover mail data. A recent offline backup of the businesses manufacturing software made them able to restore these essential programs back online. Although a large amount of work was left to recover fully from the Ryuk damage, the most important services were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer sales."

During the next couple of weeks key milestones in the recovery project were completed through close cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were fully recovered.
  • A new Palo Alto 850 security appliance was set up.
  • Most of the user PCs were back into operation.

"A lot of what went on those first few days is nearly entirely a haze for me, but my team will not forget the care each of you accomplished to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A probable business catastrophe was avoided due to top-tier professionals, a broad range of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware incident described here could have been identified and prevented with advanced security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed security procedures for information protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for allowing me to get rested after we got past the most critical parts. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Adelaide a portfolio of remote monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize modern AI technology to detect zero-day strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire threat progression including blocking, detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of offerings that deliver backup-as-a-service. ProSight DPS services automate and track your backup operations and allow transparent backup and rapid restoration of important files, applications, system images, and virtual machines. ProSight DPS lets your business protect against data loss caused by equipment breakdown, natural disasters, fire, malware such as ransomware, user error, ill-intentioned employees, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security companies to provide centralized control and world-class security for your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of inspection for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to diagram, monitor, enhance and debug their networking appliances like routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, locating devices that need important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT personnel and your Progent consultant so all looming issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard endpoint devices as well as servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a unified platform to address the entire threat lifecycle including filtering, detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Center: Call Center Managed Services
    Progent's Support Center services enable your IT staff to outsource Support Desk services to Progent or divide activity for support services seamlessly between your internal network support team and Progent's nationwide roster of IT support technicians, engineers and subject matter experts (SBEs). Progent's Shared Help Desk Service provides a transparent supplement to your internal IT support team. User interaction with the Help Desk, provision of support, escalation, ticket generation and tracking, efficiency measurement, and maintenance of the support database are consistent whether incidents are resolved by your in-house support organization, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of all sizes a flexible and affordable alternative for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT system. Besides maximizing the security and reliability of your IT network, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and tasks that derive the highest business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you sign into a protected application and give your password you are requested to verify your identity on a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be used as this added means of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate several validation devices. For more information about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
For 24/7/365 Adelaide CryptoLocker Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.