Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that presents an existential threat for organizations unprepared for an assault. Multiple generations of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily as yet unnamed newcomers, not only encrypt on-line data but also infect any available system restores and backups. Data replicated to the cloud can also be ransomed. In a poorly designed system, this can make any restore operations hopeless and effectively knocks the entire system back to zero.

Recovering programs and information after a ransomware outage becomes a sprint against time as the targeted organization fights to stop lateral movement and cleanup the crypto-ransomware and to restore business-critical activity. Because ransomware requires time to spread, assaults are frequently launched during weekends and nights, when attacks are likely to take longer to identify. This compounds the difficulty of rapidly mobilizing and coordinating a capable mitigation team.

Progent offers a variety of solutions for protecting businesses from ransomware penetrations. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with artificial intelligence technology to rapidly detect and extinguish day-zero threats. Progent also offers the services of experienced ransomware recovery professionals with the skills and perseverance to restore a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Help
Following a crypto-ransomware event, even paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decipher any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the essential elements of your Information Technology environment. Without access to full data backups, this calls for a wide range of skill sets, top notch team management, and the willingness to work non-stop until the job is over.

For twenty years, Progent has made available professional IT services for companies in Denver and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience affords Progent the ability to rapidly ascertain important systems and integrate the surviving pieces of your network system after a ransomware attack and rebuild them into a functioning system.

Progent's recovery group deploys state-of-the-art project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working swiftly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to get critical services back on-line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Attack Restoration
A small business engaged Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, possibly using algorithms exposed from the U.S. NSA organization. Ryuk attacks specific organizations with limited tolerance for disruption and is one of the most lucrative instances of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk attack had frozen all business operations and manufacturing processes. Most of the client's system backups had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately engaged Progent.


"I canít thank you enough about the care Progent provided us throughout the most critical period of (our) businesses existence. We had little choice but to pay the criminal gangs except for the confidence the Progent group provided us. The fact that you could get our messaging and important servers back on-line in less than a week was beyond my wildest dreams. Each staff member I interacted with or messaged at Progent was absolutely committed on getting our company operational and was working day and night on our behalf."

Progent worked with the customer to rapidly assess and prioritize the essential areas that needed to be restored to make it possible to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting the spread and disinfecting systems. Progent then began the work of bringing back online Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which needs Active Directory services for security authorization to the information.

In less than 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then completed setup and storage recovery on the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Data Files) on user desktop computers and laptops to recover email data. A not too old offline backup of the businesses financials/ERP software made it possible to restore these essential services back on-line. Although a lot of work remained to recover completely from the Ryuk attack, critical systems were restored quickly:


"For the most part, the production line operation was never shut down and we delivered all customer orders."

Over the following couple of weeks critical milestones in the recovery process were completed in tight cooperation between Progent consultants and the client:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than 4 million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory functions were 100% functional.
  • A new Palo Alto 850 firewall was installed and configured.
  • Most of the user workstations were functioning as before the incident.

"A huge amount of what occurred that first week is nearly entirely a blur for me, but our team will not soon forget the urgency each of you put in to give us our business back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has shined and delivered. This situation was a Herculean accomplishment."

Conclusion
A likely company-ending catastrophe was dodged by dedicated professionals, a wide range of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware virus incident detailed here should have been identified and blocked with up-to-date cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and properly executed security procedures for information protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get rested after we got past the most critical parts. Everyone did an fabulous job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Denver a variety of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence technology to detect new variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and offers a single platform to address the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of critical files, applications and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can help you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based control and world-class security for your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and debug their connectivity hardware like routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are kept current, captures and displays the configuration of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating devices that need critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the state of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT personnel and your Progent engineering consultant so that any looming issues can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Denver 24x7x365 Ransomware Repair Support Services, contact Progent at 800-993-9400 or go to Contact Progent.