Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that poses an enterprise-level danger for businesses unprepared for an attack. Different iterations of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause havoc. Newer variants of ransomware like Ryuk and Hermes, along with daily unnamed viruses, not only encrypt on-line data files but also infiltrate most available system backups. Files synchronized to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make automatic recovery impossible and basically sets the datacenter back to square one.

Restoring services and data after a ransomware intrusion becomes a race against time as the victim fights to stop the spread and clear the ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware takes time to spread, assaults are usually launched during weekends and nights, when attacks typically take more time to discover. This multiplies the difficulty of promptly mobilizing and organizing a qualified response team.

Progent has an assortment of services for protecting businesses from ransomware penetrations. These include staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security gateways with artificial intelligence capabilities to intelligently identify and quarantine new cyber threats. Progent also provides the assistance of seasoned ransomware recovery consultants with the track record and perseverance to reconstruct a breached network as quickly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the keys to unencrypt all your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the mission-critical components of your Information Technology environment. Without access to complete data backups, this calls for a broad complement of skills, well-coordinated team management, and the ability to work continuously until the recovery project is complete.

For two decades, Progent has provided expert IT services for companies in Arlington and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise affords Progent the capability to efficiently ascertain necessary systems and consolidate the remaining parts of your Information Technology environment after a crypto-ransomware attack and assemble them into an operational network.

Progent's ransomware group has powerful project management tools to coordinate the complex restoration process. Progent appreciates the urgency of acting quickly and in unison with a client's management and Information Technology staff to prioritize tasks and to get critical services back on line as soon as possible.

Case Study: A Successful Crypto-Ransomware Virus Response
A business contacted Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, possibly adopting techniques leaked from Americaís NSA organization. Ryuk attacks specific organizations with little or no ability to sustain disruption and is among the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot speak enough about the help Progent gave us during the most stressful time of (our) businesses life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail and production applications back online in less than seven days was something I thought impossible. Each staff member I spoke to or communicated with at Progent was absolutely committed on getting our company operational and was working all day and night on our behalf."

Progent worked with the client to quickly determine and assign priority to the essential applications that had to be recovered to make it possible to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To start, Progent followed Anti-virus event mitigation best practices by stopping the spread and performing virus removal steps. Progent then started the steps of restoring Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businessesí financials and MRP system leveraged Microsoft SQL Server, which needs Active Directory services for authentication to the data.

In less than two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then initiated setup and hard drive recovery of key servers. All Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops to recover email messages. A recent offline backup of the client's manufacturing software made them able to recover these essential applications back online for users. Although major work remained to recover fully from the Ryuk attack, critical systems were recovered quickly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer shipments."

During the following couple of weeks important milestones in the restoration project were made in tight collaboration between Progent consultants and the customer:

  • Internal web applications were returned to operation without losing any information.
  • The MailStore Server with over 4 million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was set up.
  • Ninety percent of the user workstations were functioning as before the incident.

"Much of what occurred that first week is mostly a blur for me, but my management will not soon forget the care each of the team accomplished to help get our business back. Iíve been working together with Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A probable business-killing disaster was dodged due to dedicated experts, a wide spectrum of subject matter expertise, and close collaboration. Although in hindsight the ransomware virus penetration detailed here would have been prevented with modern cyber security systems and NIST Cybersecurity Framework best practices, user training, and well thought out security procedures for information protection and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for letting me get some sleep after we made it over the most critical parts. Everyone did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Arlington a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern artificial intelligence technology to uncover new variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to manage the complete malware attack lifecycle including filtering, identification, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools incorporated within one agent managed from a single console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help you to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. For a fixed monthly price, ProSight DPS automates your backup activities and enables rapid recovery of vital files, applications and virtual machines that have become lost or damaged as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR consultants can deliver advanced support to set up ProSight DPS to be compliant with regulatory requirements such as HIPPA, FINRA, and PCI and, when needed, can assist you to recover your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to provide centralized control and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, enhance and debug their connectivity appliances like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are always updated, captures and displays the configuration of almost all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding devices that require important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent consultant so that all potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Arlington 24x7x365 Crypto Recovery Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.