Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Versions of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to inflict damage. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with daily unnamed viruses, not only encrypt online critical data but also infect any available system backup. Data synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, this can make automated restore operations impossible and basically knocks the entire system back to square one.

Getting back on-line applications and data following a ransomware outage becomes a race against the clock as the victim tries its best to contain and clear the ransomware and to restore enterprise-critical activity. Since ransomware takes time to replicate, attacks are frequently sprung on weekends, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of quickly marshalling and orchestrating a capable response team.

Progent offers a range of help services for protecting enterprises from ransomware attacks. These include user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security solutions with artificial intelligence capabilities to intelligently discover and extinguish new cyber attacks. Progent in addition offers the assistance of seasoned ransomware recovery professionals with the track record and perseverance to reconstruct a breached system as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the needed keys to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the essential elements of your IT environment. Absent access to complete system backups, this calls for a broad range of skill sets, professional project management, and the willingness to work continuously until the recovery project is over.

For two decades, Progent has offered certified expert IT services for companies in Florianópolis and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience affords Progent the capability to rapidly determine critical systems and re-organize the surviving parts of your IT system after a crypto-ransomware event and assemble them into a functioning system.

Progent's ransomware group uses top notch project management tools to coordinate the complicated recovery process. Progent appreciates the importance of working swiftly and in unison with a client's management and IT team members to assign priority to tasks and to put critical applications back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A client escalated to Progent after their network was penetrated by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, suspected of using approaches exposed from the U.S. NSA organization. Ryuk targets specific businesses with limited tolerance for disruption and is one of the most lucrative instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with about 500 staff members. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I cannot say enough about the expertise Progent gave us during the most stressful period of (our) businesses existence. We may have had to pay the Hackers if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail and production applications back on-line in less than five days was beyond my wildest dreams. Every single staff member I worked with or communicated with at Progent was urgently focused on getting our company operational and was working day and night on our behalf."

Progent worked together with the client to quickly identify and prioritize the critical systems that had to be restored to make it possible to restart company functions:

  • Microsoft Active Directory
  • Exchange Server
  • Financials/MRP
To start, Progent followed Anti-virus penetration response industry best practices by halting the spread and disinfecting systems. Progent then began the process of restoring Windows Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the client's MRP system utilized SQL Server, which requires Active Directory services for authentication to the database.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery of needed applications. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST files (Outlook Offline Data Files) on staff desktop computers and laptops to recover email messages. A not too old off-line backup of the businesses manufacturing systems made it possible to return these essential programs back on-line. Although a lot of work was left to recover completely from the Ryuk attack, core systems were returned to operations rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."

Over the following few weeks key milestones in the recovery project were accomplished in close collaboration between Progent consultants and the customer:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control modules were 100 percent functional.
  • A new Palo Alto 850 security appliance was set up.
  • Most of the user desktops were functioning as before the incident.

"A lot of what was accomplished in the initial days is mostly a blur for me, but I will not soon forget the commitment each of your team accomplished to give us our business back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was a life saver."

Conclusion
A probable business-ending disaster was dodged by top-tier experts, a wide range of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here would have been stopped with modern cyber security solutions and ISO/IEC 27001 best practices, team training, and properly executed incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for allowing me to get some sleep after we made it through the first week. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Florianópolis a portfolio of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include modern AI technology to detect new strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to address the entire threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies incorporated within one agent managed from a unified control. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent can also help you to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a fixed monthly rate, ProSight Data Protection Services automates your backup activities and allows fast restoration of vital files, applications and VMs that have become unavailable or corrupted due to component failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can deliver world-class support to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your critical data. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to provide web-based control and world-class security for your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of inspection for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, track, enhance and debug their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off common chores like network mapping, expanding your network, finding devices that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so all potential problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can save up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you’re planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7/365 Florianópolis Ransomware Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.