Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses unprepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more as yet unnamed malware, not only encrypt online files but also infect any accessible system protection. Data synchronized to the cloud can also be rendered useless. In a vulnerable environment, it can render any recovery useless and basically knocks the entire system back to square one.

Restoring applications and data after a crypto-ransomware event becomes a race against the clock as the victim tries its best to stop lateral movement and clear the ransomware and to restore mission-critical activity. Because crypto-ransomware takes time to spread, penetrations are often sprung during nights and weekends, when attacks in many cases take more time to uncover. This multiplies the difficulty of promptly mobilizing and organizing a qualified mitigation team.

Progent offers an assortment of services for protecting organizations from ransomware penetrations. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with artificial intelligence capabilities to rapidly identify and quarantine new cyber threats. Progent in addition offers the assistance of veteran ransomware recovery consultants with the talent and commitment to restore a breached system as urgently as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the needed keys to unencrypt all your data. Kaspersky determined that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the vital parts of your IT environment. Absent access to full system backups, this requires a broad range of skill sets, well-coordinated project management, and the willingness to work non-stop until the task is finished.

For twenty years, Progent has provided professional Information Technology services for businesses in Baltimore and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly determine critical systems and integrate the remaining components of your IT system after a ransomware event and assemble them into an operational system.

Progent's security team of experts deploys best of breed project management tools to orchestrate the sophisticated restoration process. Progent knows the importance of working quickly and together with a customerís management and IT staff to prioritize tasks and to get essential applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A business hired Progent after their network system was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored criminal gangs, possibly adopting technology exposed from the United States National Security Agency. Ryuk targets specific companies with limited room for disruption and is one of the most profitable instances of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk event had frozen all business operations and manufacturing capabilities. Most of the client's backups had been on-line at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and hoping for the best, but in the end reached out to Progent.


"I canít thank you enough in regards to the care Progent gave us during the most stressful time of (our) companyís existence. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group afforded us. The fact that you could get our e-mail and essential applications back online sooner than five days was amazing. Every single consultant I spoke to or messaged at Progent was totally committed on getting our company operational and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly assess and prioritize the key elements that needed to be recovered in order to resume departmental operations:

  • Windows Active Directory
  • E-Mail
  • MRP System
To start, Progent adhered to ransomware penetration response industry best practices by halting the spread and performing virus removal steps. Progent then started the steps of rebuilding Microsoft Active Directory, the core of enterprise environments built on Microsoft technology. Exchange messaging will not work without Active Directory, and the client's accounting and MRP software leveraged SQL Server, which depends on Active Directory for access to the databases.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery of key systems. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Outlook Offline Data Files) on team desktop computers and laptops to recover email information. A not too old offline backup of the customerís financials/MRP software made them able to restore these essential programs back online for users. Although a lot of work was left to recover completely from the Ryuk damage, the most important systems were recovered quickly:


"For the most part, the production operation was never shut down and we produced all customer deliverables."

Throughout the next month key milestones in the restoration process were made in close cooperation between Progent engineers and the client:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user desktops and notebooks were operational.

"A lot of what happened that first week is mostly a blur for me, but we will not soon forget the urgency all of the team accomplished to help get our business back. Iíve trusted Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A potential business extinction catastrophe was avoided through the efforts of top-tier professionals, a broad spectrum of technical expertise, and close teamwork. Although in retrospect the crypto-ransomware penetration detailed here should have been identified and prevented with advanced cyber security systems and best practices, user and IT administrator education, and well thought out incident response procedures for information protection and applying software patches, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get some sleep after we got over the most critical parts. Everyone did an incredible job, and if anyone is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Baltimore a range of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence capability to detect new strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the entire threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you prove compliance with government and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly rate, ProSight DPS automates and monitors your backup activities and allows rapid recovery of critical files, apps and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide advanced support to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, when necessary, can help you to recover your critical information. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to provide centralized management and world-class security for your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further level of analysis for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map, track, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT personnel and your Progent consultant so all potential problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7 Baltimore Crypto Repair Experts, contact Progent at 800-993-9400 or go to Contact Progent.