Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that represents an enterprise-level danger for organizations unprepared for an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for many years and still inflict havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, along with daily as yet unnamed newcomers, not only do encryption of on-line files but also infect any accessible system protection. Information replicated to cloud environments can also be encrypted. In a poorly designed environment, it can render any recovery impossible and basically knocks the datacenter back to zero.

Restoring services and data after a ransomware attack becomes a race against the clock as the targeted business tries its best to contain the damage and clear the ransomware and to resume business-critical activity. Since ransomware requires time to replicate, assaults are usually sprung on weekends, when penetrations tend to take more time to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.

Progent provides a variety of solutions for protecting organizations from crypto-ransomware attacks. These include team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security appliances with artificial intelligence capabilities to intelligently identify and suppress new threats. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the skills and commitment to restore a breached system as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed codes to unencrypt all your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the vital parts of your Information Technology environment. Absent access to complete data backups, this requires a broad range of skill sets, top notch team management, and the willingness to work 24x7 until the job is complete.

For decades, Progent has provided expert IT services for companies in Charleston and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise provides Progent the skills to rapidly understand critical systems and integrate the surviving pieces of your Information Technology system after a crypto-ransomware event and configure them into a functioning system.

Progent's ransomware group utilizes powerful project management systems to orchestrate the complex restoration process. Progent knows the importance of working quickly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get key applications back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A small business sought out Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly using strategies exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little or no ability to sustain disruption and is one of the most profitable versions of ransomware viruses. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with about 500 workers. The Ryuk event had paralyzed all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I canít thank you enough about the expertise Progent gave us during the most stressful time of (our) businesses survival. We would have paid the cyber criminals except for the confidence the Progent experts provided us. The fact that you could get our e-mail and production applications back into operation in less than a week was incredible. Every single expert I talked with or messaged at Progent was hell bent on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the critical applications that needed to be addressed to make it possible to continue company functions:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To get going, Progent followed ransomware incident response industry best practices by stopping the spread and performing virus removal steps. Progent then began the steps of rebuilding Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Exchange email will not function without Windows AD, and the businessesí accounting and MRP software used SQL Server, which requires Active Directory for authentication to the information.

In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then performed rebuilding and hard drive recovery on mission critical systems. All Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Offline Data Files) on staff PCs and laptops in order to recover email messages. A recent offline backup of the customerís accounting/ERP software made it possible to restore these vital applications back online. Although significant work was left to recover completely from the Ryuk event, essential services were recovered rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer orders."

During the following month critical milestones in the recovery project were achieved through tight collaboration between Progent engineers and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Server containing more than 4 million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were 100% functional.
  • A new Palo Alto 850 firewall was installed.
  • Ninety percent of the desktops and laptops were operational.

"A lot of what happened that first week is nearly entirely a blur for me, but our team will not forget the urgency all of you put in to help get our company back. Iíve trusted Progent for the past ten years, maybe more, and every time Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A possible business-killing catastrophe was dodged with hard-working professionals, a wide array of technical expertise, and tight collaboration. Although in hindsight the crypto-ransomware incident described here should have been identified and stopped with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and appropriate security procedures for information backup and proper patching controls, the reality is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for allowing me to get rested after we got over the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Charleston a range of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services utilize modern machine learning capability to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to address the complete malware attack lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital files, apps and VMs that have become unavailable or corrupted due to hardware failures, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to provide web-based management and world-class security for all your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, reconfigure and debug their connectivity hardware such as routers, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming management activities, WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, locating devices that require critical software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can eliminate up to half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7 Charleston Crypto-Ransomware Removal Consultants, call Progent at 800-462-8800 or go to Contact Progent.