Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses unprepared for an attack. Versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for a long time and still inflict destruction. The latest versions of ransomware such as Ryuk and Hermes, along with additional unnamed malware, not only do encryption of online data but also infiltrate most available system backups. Data synchronized to cloud environments can also be ransomed. In a poorly designed system, this can make any recovery useless and effectively sets the network back to zero.

Recovering applications and information after a ransomware event becomes a race against time as the victim tries its best to contain the damage and eradicate the crypto-ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to replicate, assaults are usually launched at night, when successful attacks may take more time to identify. This compounds the difficulty of promptly marshalling and orchestrating a qualified mitigation team.

Progent makes available a variety of support services for securing organizations from ransomware attacks. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with artificial intelligence capabilities to quickly discover and disable day-zero cyber threats. Progent in addition provides the services of veteran ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the codes to decipher any or all of your files. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the vital elements of your IT environment. Without the availability of essential information backups, this calls for a broad range of IT skills, professional team management, and the willingness to work non-stop until the job is done.

For two decades, Progent has made available expert Information Technology services for companies in Minnetonka and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience affords Progent the ability to efficiently determine important systems and integrate the surviving parts of your network environment after a ransomware event and rebuild them into a functioning network.

Progent's recovery team of experts utilizes top notch project management applications to orchestrate the complicated recovery process. Progent understands the urgency of acting swiftly and together with a customerís management and Information Technology team members to assign priority to tasks and to get essential applications back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Penetration Restoration
A business contacted Progent after their network system was brought down by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, possibly using strategies leaked from Americaís NSA organization. Ryuk seeks specific businesses with little ability to sustain operational disruption and is among the most profitable examples of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with around 500 staff members. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200K) and hoping for good luck, but ultimately utilized Progent.


"I canít say enough in regards to the help Progent gave us during the most stressful period of (our) companyís existence. We had little choice but to pay the Hackers if not for the confidence the Progent team provided us. That you could get our e-mail and essential applications back online sooner than a week was amazing. Every single staff member I spoke to or e-mailed at Progent was amazingly focused on getting us operational and was working day and night to bail us out."

Progent worked with the customer to rapidly determine and assign priority to the essential systems that needed to be restored to make it possible to continue company operations:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes incident response best practices by halting lateral movement and clearing up compromised systems. Progent then started the process of rebuilding Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the businessesí accounting and MRP applications used Microsoft SQL, which needs Windows AD for security authorization to the data.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then initiated setup and hard drive recovery on needed applications. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Offline Folder Files) on user workstations and laptops in order to recover email data. A not too old offline backup of the customerís accounting software made them able to recover these vital programs back servicing users. Although significant work needed to be completed to recover totally from the Ryuk damage, essential systems were returned to operations rapidly:


"For the most part, the production operation never missed a beat and we made all customer orders."

Throughout the next few weeks critical milestones in the recovery process were completed in close cooperation between Progent team members and the client:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Server containing more than four million historical emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were fully recovered.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the desktop computers were back into operation.

"A lot of what happened in the early hours is nearly entirely a fog for me, but my management will not forget the dedication each of the team accomplished to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible business-ending catastrophe was dodged through the efforts of top-tier professionals, a broad range of knowledge, and close teamwork. Although in retrospect the ransomware incident described here would have been identified and stopped with current security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and appropriate security procedures for information backup and proper patching controls, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), Iím grateful for letting me get some sleep after we got past the most critical parts. All of you did an impressive job, and if anyone is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Minnetonka a variety of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate modern machine learning technology to detect zero-day strains of crypto-ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to manage the entire malware attack lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also help your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates and monitors your backup activities and allows fast recovery of vital data, applications and VMs that have become unavailable or corrupted due to component failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's BDR specialists can provide advanced expertise to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPPA, FINRA, and PCI and, when needed, can assist you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to provide centralized control and world-class security for your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, enhance and debug their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming management processes, WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding appliances that need important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system operating efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management staff and your Progent consultant so that any looming issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect data about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Find out more about ProSight IT Asset Management service.
For Minnetonka 24/7/365 Crypto-Ransomware Removal Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.