Ransomware : Your Worst IT Disaster
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that represents an existential threat for organizations unprepared for an assault. Different iterations of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and still inflict harm. The latest strains of crypto-ransomware like Ryuk and Hermes, as well as daily as yet unnamed viruses, not only do encryption of online data files but also infect any accessible system restores and backups. Files synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can render automated restoration useless and basically knocks the network back to zero.

Getting back services and information following a ransomware attack becomes a race against time as the victim struggles to contain and eradicate the virus and to restore business-critical activity. Since crypto-ransomware takes time to spread, penetrations are usually launched on weekends, when attacks in many cases take more time to identify. This compounds the difficulty of promptly marshalling and coordinating a qualified response team.

Progent provides a variety of help services for protecting businesses from crypto-ransomware penetrations. These include team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security appliances with machine learning technology to rapidly detect and suppress day-zero cyber threats. Progent also can provide the assistance of veteran ransomware recovery consultants with the talent and commitment to re-deploy a compromised network as soon as possible.

Progent's Ransomware Restoration Services
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to decipher any of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the vital parts of your Information Technology environment. Absent access to complete information backups, this calls for a broad complement of IT skills, well-coordinated project management, and the ability to work non-stop until the job is finished.

For twenty years, Progent has offered professional Information Technology services for companies in Denver and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the ability to rapidly determine necessary systems and organize the surviving parts of your computer network system after a ransomware penetration and configure them into a functioning system.

Progent's ransomware group utilizes top notch project management systems to orchestrate the complicated restoration process. Progent understands the importance of working swiftly and in concert with a client's management and Information Technology resources to prioritize tasks and to get critical services back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Attack Restoration
A small business hired Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly using technology leaked from the U.S. NSA organization. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is among the most profitable incarnations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago with about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's backups had been online at the beginning of the attack and were eventually encrypted. The client was taking steps for paying the ransom (more than $200,000) and praying for the best, but in the end engaged Progent.


"I cannot say enough in regards to the help Progent gave us during the most fearful period of (our) companyís life. We most likely would have paid the criminal gangs if not for the confidence the Progent experts afforded us. That you could get our messaging and essential applications back into operation in less than five days was earth shattering. Each consultant I interacted with or messaged at Progent was laser focused on getting our company operational and was working day and night on our behalf."

Progent worked with the customer to rapidly determine and prioritize the mission critical elements that had to be addressed to make it possible to resume company functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent followed AV/Malware Processes incident mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then began the steps of bringing back online Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the client's accounting and MRP system leveraged Microsoft SQL, which requires Active Directory services for authentication to the information.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then completed rebuilding and hard drive recovery on essential servers. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Off-Line Data Files) on team PCs in order to recover mail data. A recent off-line backup of the customerís accounting/MRP software made it possible to return these essential programs back on-line. Although major work needed to be completed to recover totally from the Ryuk attack, the most important systems were returned to operations rapidly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer shipments."

Over the next month critical milestones in the recovery process were achieved in tight cooperation between Progent team members and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million historical messages was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100% restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Ninety percent of the user desktops were functioning as before the incident.

"Much of what went on that first week is nearly entirely a fog for me, but I will not soon forget the countless hours each and every one of your team accomplished to help get our business back. Iíve entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This event was a life saver."

Conclusion
A possible business-killing disaster was averted by dedicated professionals, a wide range of technical expertise, and tight teamwork. Although in post mortem the crypto-ransomware virus incident detailed here would have been disabled with modern security technology and ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for allowing me to get rested after we made it over the initial fire. All of you did an incredible job, and if any of your team is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Denver a variety of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services include next-generation machine learning capability to detect zero-day strains of crypto-ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the complete malware attack progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates your backup activities and enables rapid recovery of vital files, applications and virtual machines that have become lost or corrupted as a result of component failures, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPPA, FINRA, and PCI and, when needed, can help you to restore your critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security companies to deliver centralized control and comprehensive security for your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, optimize and debug their connectivity hardware like routers, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding devices that need important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management staff and your Progent engineering consultant so any looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about ProSight IT Asset Management service.
For Denver 24x7x365 Crypto-Ransomware Removal Services, call Progent at 800-993-9400 or go to Contact Progent.