Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that represents an extinction-level threat for organizations poorly prepared for an assault. Different iterations of crypto-ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent unnamed newcomers, not only encrypt on-line files but also infiltrate many accessible system protection. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly architected system, this can render automatic restoration useless and effectively sets the network back to square one.

Getting back online programs and data after a ransomware event becomes a sprint against the clock as the victim fights to stop the spread and cleanup the ransomware and to resume mission-critical activity. Since crypto-ransomware requires time to spread, assaults are frequently launched on weekends and holidays, when successful penetrations may take more time to detect. This compounds the difficulty of rapidly mobilizing and orchestrating a capable response team.

Progent makes available an assortment of solutions for securing organizations from ransomware events. Among these are team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security appliances with artificial intelligence capabilities to rapidly discover and quarantine day-zero cyber attacks. Progent also offers the services of seasoned ransomware recovery professionals with the skills and perseverance to restore a breached system as urgently as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to decipher any of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the essential elements of your Information Technology environment. Without access to essential data backups, this calls for a broad complement of skill sets, top notch project management, and the willingness to work continuously until the recovery project is finished.

For two decades, Progent has offered certified expert IT services for companies in Arlington and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience gives Progent the capability to efficiently determine necessary systems and consolidate the surviving parts of your IT system after a crypto-ransomware event and assemble them into a functioning system.

Progent's ransomware team deploys top notch project management systems to orchestrate the complicated recovery process. Progent knows the urgency of acting swiftly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to put key services back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Incident Restoration
A business sought out Progent after their network was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly adopting approaches leaked from the United States NSA organization. Ryuk targets specific organizations with little or no tolerance for disruption and is one of the most lucrative instances of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago with about 500 employees. The Ryuk penetration had paralyzed all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for the best, but ultimately brought in Progent.


"I canít tell you enough in regards to the expertise Progent gave us throughout the most fearful period of (our) businesses life. We most likely would have paid the criminal gangs except for the confidence the Progent team provided us. The fact that you were able to get our e-mail and key servers back online in less than 1 week was beyond my wildest dreams. Every single expert I talked with or messaged at Progent was laser focused on getting my company operational and was working 24/7 on our behalf."

Progent worked together with the client to rapidly assess and prioritize the essential systems that had to be restored in order to restart company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting/MRP
To start, Progent followed ransomware penetration mitigation industry best practices by halting lateral movement and disinfecting systems. Progent then started the work of bringing back online Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the client's financials and MRP system used Microsoft SQL Server, which depends on Active Directory services for authentication to the information.

Within 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and hard drive recovery of needed applications. All Microsoft Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Off-Line Data Files) on user PCs and laptops in order to recover mail data. A not too old off-line backup of the client's accounting/MRP systems made them able to return these essential services back online for users. Although major work still had to be done to recover completely from the Ryuk attack, critical systems were restored quickly:


"For the most part, the production operation never missed a beat and we produced all customer shipments."

Throughout the following couple of weeks critical milestones in the restoration process were accomplished through close cooperation between Progent team members and the client:

  • Internal web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control functions were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the user desktops were being used by staff.

"Much of what was accomplished those first few days is mostly a blur for me, but our team will not forget the care each of you put in to help get our business back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A probable business extinction catastrophe was dodged due to results-oriented experts, a broad range of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus incident described here could have been blocked with modern security solutions and security best practices, user education, and well thought out security procedures for information protection and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it through the initial fire. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Arlington a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to uncover new strains of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the complete malware attack progression including protection, detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also help you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates and monitors your backup activities and allows rapid restoration of critical data, apps and VMs that have become lost or damaged as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can provide world-class support to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard integrates a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, track, enhance and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding devices that require critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to keep your network operating at peak levels by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate up to half of time wasted trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
For Arlington 24-Hour Ransomware Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.