Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations unprepared for an attack. Different iterations of crypto-ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause destruction. Newer variants of ransomware such as Ryuk and Hermes, along with more unnamed malware, not only encrypt online critical data but also infiltrate all accessible system backup. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, this can make any restoration impossible and effectively knocks the network back to zero.

Recovering programs and information following a ransomware attack becomes a sprint against time as the targeted organization struggles to contain and eradicate the ransomware and to resume business-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are often sprung at night, when attacks typically take more time to uncover. This multiplies the difficulty of quickly assembling and organizing a capable response team.

Progent provides an assortment of solutions for protecting businesses from crypto-ransomware events. Among these are staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with AI capabilities to quickly identify and disable day-zero cyber threats. Progent also offers the assistance of seasoned crypto-ransomware recovery consultants with the talent and perseverance to re-deploy a compromised network as soon as possible.

Progent's Ransomware Recovery Help
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will return the needed codes to decrypt any or all of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the mission-critical components of your IT environment. Without the availability of full information backups, this requires a wide range of skill sets, professional team management, and the willingness to work non-stop until the task is over.

For decades, Progent has made available expert Information Technology services for businesses in Baltimore and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience gives Progent the skills to rapidly ascertain necessary systems and integrate the remaining components of your network environment after a ransomware event and assemble them into an operational system.

Progent's ransomware team utilizes state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of working quickly and in unison with a client's management and IT team members to assign priority to tasks and to get the most important systems back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Restoration
A customer contacted Progent after their organization was brought down by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored hackers, possibly using techniques exposed from the United States NSA organization. Ryuk goes after specific companies with limited room for disruption and is among the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing processes. Most of the client's data protection had been online at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200,000) and hoping for good luck, but in the end engaged Progent.


"I canít thank you enough about the support Progent gave us during the most stressful period of (our) companyís existence. We may have had to pay the cybercriminals except for the confidence the Progent experts provided us. That you could get our messaging and important applications back on-line in less than five days was incredible. Each person I talked with or communicated with at Progent was totally committed on getting us back online and was working at all hours on our behalf."

Progent worked with the client to quickly determine and prioritize the most important elements that needed to be addressed to make it possible to resume departmental functions:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes incident response industry best practices by isolating and clearing infected systems. Progent then began the process of recovering Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís accounting and MRP system utilized Microsoft SQL Server, which needs Active Directory for security authorization to the information.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery of key systems. All Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Off-Line Data Files) on various PCs and laptops in order to recover email messages. A not too old offline backup of the customerís accounting/ERP software made it possible to return these required applications back online. Although a lot of work still had to be done to recover totally from the Ryuk virus, the most important systems were restored rapidly:


"For the most part, the production operation did not miss a beat and we produced all customer sales."

During the following month important milestones in the recovery process were completed through close cooperation between Progent team members and the customer:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100% restored.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the user workstations were being used by staff.

"Much of what happened those first few days is mostly a haze for me, but I will not forget the care each and every one of your team accomplished to help get our company back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A potential enterprise-killing catastrophe was avoided due to top-tier experts, a wide array of knowledge, and close teamwork. Although in post mortem the crypto-ransomware penetration detailed here could have been blocked with advanced cyber security technology and best practices, staff education, and well thought out incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get some sleep after we made it past the initial fire. All of you did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Baltimore a variety of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence capability to detect new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the complete malware attack progression including blocking, detection, containment, remediation, and forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help your company to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of vital files, applications and VMs that have become lost or damaged due to component breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery specialists can provide world-class support to set up ProSight DPS to be compliant with regulatory standards such as HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide centralized control and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map, track, enhance and troubleshoot their networking appliances such as routers and switches, firewalls, and access points as well as servers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding devices that require critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT management staff and your Progent consultant so that all looming problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Baltimore 24x7x365 Ransomware Cleanup Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.