Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyber pandemic that represents an extinction-level threat for organizations poorly prepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still cause damage. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent unnamed viruses, not only encrypt online data files but also infiltrate many available system protection. Data replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected system, this can make automated recovery impossible and basically knocks the network back to square one.

Recovering applications and information after a ransomware outage becomes a race against time as the victim tries its best to stop lateral movement and eradicate the crypto-ransomware and to resume mission-critical operations. Since crypto-ransomware needs time to spread, attacks are usually sprung on weekends, when attacks may take longer to detect. This compounds the difficulty of rapidly assembling and organizing a knowledgeable mitigation team.

Progent makes available a range of solutions for securing enterprises from ransomware penetrations. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security appliances with artificial intelligence capabilities to rapidly detect and suppress zero-day cyber threats. Progent in addition provides the services of experienced ransomware recovery consultants with the skills and commitment to reconstruct a breached system as quickly as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the codes to unencrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the mission-critical components of your IT environment. Without access to essential information backups, this calls for a wide range of IT skills, top notch project management, and the ability to work continuously until the recovery project is complete.

For decades, Progent has provided expert Information Technology services for businesses in Atlanta and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience provides Progent the capability to efficiently understand necessary systems and re-organize the remaining pieces of your network environment after a crypto-ransomware attack and configure them into a functioning network.

Progent's security group deploys state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the urgency of acting swiftly and in unison with a client's management and IT resources to prioritize tasks and to put essential applications back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A client contacted Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, suspected of adopting approaches exposed from the U.S. NSA organization. Ryuk goes after specific companies with little or no room for disruption and is one of the most lucrative instances of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's system backups had been online at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and hoping for the best, but in the end utilized Progent.


"I canít speak enough in regards to the care Progent provided us throughout the most critical time of (our) companyís survival. We may have had to pay the hackers behind this attack except for the confidence the Progent experts afforded us. The fact that you could get our e-mail and important applications back in less than seven days was incredible. Every single expert I talked with or e-mailed at Progent was hell bent on getting us back on-line and was working day and night on our behalf."

Progent worked together with the client to quickly determine and assign priority to the critical services that had to be restored in order to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting/MRP
To start, Progent adhered to Anti-virus event mitigation industry best practices by stopping the spread and clearing infected systems. Progent then began the steps of bringing back online Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the client's MRP software utilized SQL Server, which requires Active Directory services for security authorization to the information.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and hard drive recovery of needed applications. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on various PCs and laptops to recover mail information. A recent off-line backup of the client's manufacturing software made them able to restore these required programs back servicing users. Although major work remained to recover fully from the Ryuk damage, the most important systems were returned to operations quickly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer shipments."

Throughout the next few weeks critical milestones in the recovery process were achieved through tight cooperation between Progent consultants and the client:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100 percent functional.
  • A new Palo Alto 850 firewall was deployed.
  • Most of the user workstations were operational.

"A lot of what was accomplished during the initial response is nearly entirely a blur for me, but our team will not forget the commitment each and every one of you put in to help get our business back. I have utilized Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was a testament to your capabilities."

Conclusion
A likely business-ending disaster was averted with results-oriented experts, a broad range of technical expertise, and close collaboration. Although in post mortem the crypto-ransomware virus incident described here would have been stopped with current security systems and best practices, user and IT administrator education, and properly executed security procedures for information protection and applying software patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for making it so I could get rested after we got through the initial push. All of you did an fabulous job, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Atlanta a range of online monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services utilize next-generation AI technology to detect new strains of crypto-ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to manage the complete threat progression including protection, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within one agent managed from a unified control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery. For a fixed monthly price, ProSight DPS automates your backup processes and allows rapid recovery of critical data, applications and VMs that have become unavailable or corrupted as a result of component breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can provide world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, enhance and debug their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends alerts when issues are detected. By automating complex management processes, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating appliances that require important updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT management staff and your assigned Progent consultant so that all looming problems can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Atlanta 24/7/365 Ransomware Recovery Experts, contact Progent at 800-993-9400 or go to Contact Progent.