Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that represents an extinction-level threat for organizations unprepared for an attack. Different iterations of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause destruction. More recent versions of crypto-ransomware like Ryuk and Hermes, as well as additional as yet unnamed malware, not only encrypt online files but also infect most configured system restores and backups. Files replicated to the cloud can also be corrupted. In a poorly architected system, this can make automatic restore operations hopeless and basically knocks the entire system back to square one.

Getting back programs and information after a ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop lateral movement and cleanup the virus and to resume business-critical operations. Because crypto-ransomware requires time to spread, attacks are often sprung at night, when penetrations tend to take more time to uncover. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.

Progent provides a range of support services for securing organizations from ransomware penetrations. Among these are staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security solutions with artificial intelligence capabilities to rapidly detect and quarantine new cyber threats. Progent also provides the services of experienced ransomware recovery consultants with the talent and commitment to rebuild a compromised network as soon as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed keys to decrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the mission-critical components of your IT environment. Without access to full system backups, this calls for a broad range of skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is done.

For decades, Progent has provided expert Information Technology services for companies in Charlotte and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of experience provides Progent the skills to quickly ascertain necessary systems and integrate the surviving pieces of your network system after a ransomware event and configure them into an operational network.

Progent's security team deploys powerful project management applications to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and in concert with a customerís management and IT team members to prioritize tasks and to get the most important applications back on line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A client escalated to Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, suspected of using techniques exposed from the U.S. National Security Agency. Ryuk targets specific businesses with limited tolerance for operational disruption and is one of the most profitable examples of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has about 500 employees. The Ryuk attack had brought down all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately utilized Progent.


"I cannot tell you enough about the expertise Progent provided us throughout the most critical period of (our) companyís existence. We had little choice but to pay the cyber criminals except for the confidence the Progent team afforded us. That you could get our e-mail system and essential servers back online faster than seven days was earth shattering. Each person I worked with or texted at Progent was amazingly focused on getting my company operational and was working 24/7 on our behalf."

Progent worked hand in hand the customer to quickly assess and assign priority to the essential applications that had to be restored to make it possible to resume departmental operations:

  • Active Directory (AD)
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware penetration response best practices by stopping lateral movement and removing active viruses. Progent then started the task of recovering Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís financials and MRP system used SQL Server, which depends on Active Directory for access to the information.

Within two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery of the most important servers. All Exchange schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to find intact OST files (Outlook Email Off-Line Data Files) on various workstations in order to recover email information. A recent off-line backup of the customerís accounting software made it possible to return these essential services back online. Although a lot of work remained to recover completely from the Ryuk attack, essential systems were restored rapidly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer sales."

Throughout the next couple of weeks critical milestones in the recovery process were accomplished through tight collaboration between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory modules were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user PCs were functioning as before the incident.

"A huge amount of what occurred in the early hours is nearly entirely a haze for me, but we will not soon forget the countless hours each of the team put in to help get our business back. Iíve utilized Progent for at least 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was the most impressive ever."

Conclusion
A possible business extinction disaster was dodged by dedicated professionals, a wide range of technical expertise, and close collaboration. Although in post mortem the crypto-ransomware attack detailed here could have been shut down with advanced security solutions and recognized best practices, user training, and properly executed security procedures for data protection and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thank you for letting me get some sleep after we made it over the initial push. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Charlotte a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover new variants of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete malware attack progression including filtering, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that allows you demonstrate compliance with government and industry information protection standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates your backup activities and enables fast recovery of vital data, applications and virtual machines that have become unavailable or corrupted due to component failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery consultants can provide world-class support to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPPA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to deliver centralized control and comprehensive security for your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, optimize and debug their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating devices that need critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so any looming problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-Hour Charlotte Crypto-Ransomware Repair Services, reach out to Progent at 800-993-9400 or go to Contact Progent.