Ransomware : Your Worst IT Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that presents an enterprise-level danger for organizations unprepared for an attack. Versions of ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause damage. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with daily as yet unnamed newcomers, not only do encryption of on-line critical data but also infect all available system backup. Data replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can make any recovery impossible and basically sets the datacenter back to square one.

Getting back on-line services and information after a crypto-ransomware event becomes a sprint against the clock as the victim struggles to contain the damage and clear the virus and to restore enterprise-critical operations. Due to the fact that ransomware takes time to move laterally, assaults are often sprung during nights and weekends, when successful penetrations may take more time to detect. This multiplies the difficulty of promptly mobilizing and organizing an experienced mitigation team.

Progent has a range of support services for protecting businesses from ransomware attacks. These include user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with artificial intelligence technology to intelligently discover and extinguish day-zero threats. Progent also can provide the assistance of veteran ransomware recovery engineers with the talent and commitment to restore a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the codes to unencrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the critical elements of your IT environment. Without the availability of essential information backups, this calls for a wide range of skills, top notch project management, and the willingness to work non-stop until the recovery project is done.

For twenty years, Progent has provided certified expert IT services for businesses in Brighton and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience gives Progent the ability to rapidly understand critical systems and integrate the surviving components of your network environment following a ransomware penetration and assemble them into a functioning network.

Progent's security group has powerful project management systems to orchestrate the complicated recovery process. Progent knows the urgency of acting quickly and in unison with a customerís management and Information Technology team members to prioritize tasks and to get critical systems back on-line as soon as humanly possible.

Client Case Study: A Successful Ransomware Attack Recovery
A business contacted Progent after their network was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored hackers, suspected of using techniques exposed from Americaís NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is among the most profitable versions of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and hoping for good luck, but ultimately utilized Progent.


"I canít thank you enough in regards to the care Progent gave us during the most stressful time of (our) companyís life. We had little choice but to pay the hackers behind this attack except for the confidence the Progent team afforded us. The fact that you could get our messaging and important applications back online faster than a week was amazing. Every single staff member I worked with or e-mailed at Progent was hell bent on getting my company operational and was working all day and night to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the mission critical areas that had to be recovered in order to resume company functions:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed ransomware event mitigation industry best practices by halting lateral movement and disinfecting systems. Progent then initiated the task of bringing back online Microsoft AD, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without AD, and the customerís financials and MRP applications utilized Microsoft SQL Server, which depends on Active Directory for access to the information.

Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then performed reinstallations and storage recovery of the most important servers. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover email data. A recent offline backup of the customerís accounting/ERP software made them able to return these essential services back online for users. Although a large amount of work remained to recover totally from the Ryuk event, core services were restored quickly:


"For the most part, the production line operation was never shut down and we did not miss any customer sales."

Over the following couple of weeks important milestones in the recovery project were completed in tight cooperation between Progent team members and the customer:

  • In-house web sites were restored with no loss of data.
  • The MailStore Server with over 4 million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were fully functional.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user desktops were operational.

"A huge amount of what occurred during the initial response is nearly entirely a blur for me, but my management will not forget the care each of you put in to give us our business back. Iíve been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A possible business catastrophe was evaded with results-oriented experts, a wide range of subject matter expertise, and close collaboration. Although in hindsight the ransomware virus penetration described here should have been shut down with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and properly executed security procedures for data backup and applying software patches, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), thank you for letting me get rested after we made it over the initial fire. Everyone did an impressive effort, and if anyone is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Brighton a portfolio of remote monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services include modern AI capability to uncover new variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the complete malware attack progression including protection, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with legal and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent attention. Progent's consultants can also assist your company to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed service for secure backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates your backup processes and allows fast restoration of vital files, apps and virtual machines that have become lost or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security vendors to provide web-based management and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of inspection for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, reconfigure and troubleshoot their networking appliances like switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding devices that require critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your network running at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7 Brighton Ransomware Removal Services, call Progent at 800-462-8800 or go to Contact Progent.