Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyber pandemic that poses an extinction-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. Recent versions of crypto-ransomware like Ryuk and Hermes, as well as additional unnamed viruses, not only do encryption of online data files but also infiltrate most configured system protection. Files synchronized to cloud environments can also be encrypted. In a poorly designed data protection solution, this can make automatic recovery hopeless and basically sets the network back to square one.

Getting back services and information following a ransomware outage becomes a race against the clock as the targeted organization struggles to stop lateral movement and remove the crypto-ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, assaults are often launched at night, when successful attacks are likely to take longer to identify. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent has a range of support services for securing organizations from ransomware events. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with machine learning capabilities to quickly detect and suppress new cyber threats. Progent also offers the assistance of veteran ransomware recovery consultants with the skills and commitment to restore a breached system as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the codes to decipher any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the critical parts of your Information Technology environment. Absent the availability of essential system backups, this requires a wide complement of skill sets, top notch team management, and the ability to work 24x7 until the recovery project is finished.

For two decades, Progent has provided professional Information Technology services for companies in Arlington and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise affords Progent the ability to rapidly understand important systems and consolidate the remaining pieces of your network system following a ransomware event and assemble them into an operational system.

Progent's ransomware group utilizes top notch project management applications to orchestrate the sophisticated restoration process. Progent understands the urgency of acting quickly and in unison with a customerís management and IT team members to assign priority to tasks and to put critical services back on line as soon as possible.

Case Study: A Successful Crypto-Ransomware Attack Recovery
A business escalated to Progent after their organization was penetrated by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most lucrative instances of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200,000) and hoping for good luck, but in the end utilized Progent.


"I cannot speak enough about the care Progent gave us during the most stressful time of (our) companyís life. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent experts provided us. That you were able to get our e-mail and critical servers back into operation sooner than five days was beyond my wildest dreams. Each consultant I worked with or communicated with at Progent was absolutely committed on getting us back on-line and was working non-stop to bail us out."

Progent worked with the customer to quickly get our arms around and assign priority to the mission critical services that had to be addressed to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To start, Progent followed Anti-virus penetration response best practices by stopping the spread and removing active viruses. Progent then initiated the task of rebuilding Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange email will not operate without Active Directory, and the client's MRP system utilized Microsoft SQL Server, which needs Windows AD for security authorization to the information.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then performed reinstallations and storage recovery on key systems. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect local OST data files (Outlook Email Offline Data Files) on user workstations to recover mail data. A not too old offline backup of the customerís financials/ERP software made them able to recover these required services back servicing users. Although major work was left to recover fully from the Ryuk event, the most important systems were recovered quickly:


"For the most part, the production operation showed little impact and we delivered all customer shipments."

Over the following few weeks key milestones in the recovery project were made in close cooperation between Progent consultants and the customer:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto 850 firewall was set up.
  • Most of the user desktops and notebooks were operational.

"Much of what transpired during the initial response is nearly entirely a blur for me, but our team will not forget the countless hours each and every one of your team put in to help get our company back. Iíve been working with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely business-ending catastrophe was avoided by results-oriented professionals, a wide spectrum of knowledge, and tight teamwork. Although in hindsight the crypto-ransomware virus penetration described here could have been disabled with modern cyber security technology and ISO/IEC 27001 best practices, staff education, and well thought out security procedures for data backup and proper patching controls, the fact is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for allowing me to get rested after we got over the initial push. All of you did an impressive effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Arlington a variety of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation AI capability to detect zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to address the complete malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering through leading-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP environment that addresses your company's unique needs and that allows you prove compliance with legal and industry information protection standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a low monthly price, ProSight DPS automates and monitors your backup processes and enables rapid restoration of critical files, applications and VMs that have become unavailable or damaged as a result of component breakdowns, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's BDR specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your business-critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to deliver web-based management and world-class protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, track, enhance and troubleshoot their networking hardware like routers, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your IT system operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so any looming problems can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Arlington Crypto Repair Consultants, call Progent at 800-993-9400 or go to Contact Progent.