Ransomware : Your Feared IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional unnamed viruses, not only encrypt on-line critical data but also infect all available system restores and backups. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can make automatic restore operations impossible and basically knocks the datacenter back to square one.

Retrieving services and information after a ransomware outage becomes a sprint against the clock as the victim fights to stop the spread and eradicate the virus and to resume business-critical operations. Because crypto-ransomware requires time to move laterally, assaults are frequently sprung during weekends and nights, when successful attacks may take more time to notice. This compounds the difficulty of rapidly mobilizing and coordinating an experienced mitigation team.

Progent offers a range of services for securing businesses from crypto-ransomware events. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with machine learning technology to intelligently identify and suppress zero-day threats. Progent in addition provides the services of expert crypto-ransomware recovery professionals with the talent and perseverance to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the needed keys to decrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the key components of your IT environment. Absent access to essential system backups, this requires a wide range of skill sets, top notch team management, and the ability to work continuously until the job is done.

For decades, Progent has provided expert Information Technology services for companies in Charlotte and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of experience gives Progent the skills to efficiently determine necessary systems and organize the remaining pieces of your network environment after a ransomware penetration and rebuild them into an operational network.

Progent's security group uses powerful project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of working rapidly and together with a customerís management and IT resources to prioritize tasks and to put the most important systems back online as soon as possible.

Customer Case Study: A Successful Ransomware Virus Recovery
A customer contacted Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk goes after specific companies with little or no ability to sustain operational disruption and is one of the most profitable versions of crypto-ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200K) and hoping for good luck, but ultimately reached out to Progent.


"I canít say enough in regards to the expertise Progent provided us throughout the most stressful period of (our) companyís survival. We had little choice but to pay the Hackers except for the confidence the Progent group provided us. That you could get our messaging and critical servers back into operation faster than seven days was amazing. Every single expert I spoke to or messaged at Progent was absolutely committed on getting my company operational and was working day and night to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the key areas that needed to be restored to make it possible to resume business operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent followed AV/Malware Processes event response best practices by stopping lateral movement and removing active viruses. Progent then began the process of bringing back online Windows Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the customerís financials and MRP system utilized Microsoft SQL Server, which needs Active Directory services for access to the information.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then assisted with setup and hard drive recovery on the most important applications. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Offline Data Files) on staff PCs to recover email messages. A not too old off-line backup of the businesses accounting/ERP systems made them able to recover these required applications back online. Although significant work still had to be done to recover fully from the Ryuk event, essential services were returned to operations quickly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer orders."

Throughout the next few weeks important milestones in the restoration project were made through close cooperation between Progent consultants and the client:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Server with over four million archived emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control modules were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Ninety percent of the desktop computers were functioning as before the incident.

"A lot of what occurred during the initial response is mostly a haze for me, but my team will not forget the dedication each and every one of your team accomplished to help get our company back. Iíve utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A likely business extinction catastrophe was avoided due to hard-working professionals, a broad array of IT skills, and close teamwork. Although in post mortem the ransomware incident detailed here would have been blocked with modern security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well thought out security procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), Iím grateful for making it so I could get some sleep after we made it past the initial push. Everyone did an fabulous job, and if anyone is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Charlotte a range of remote monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services utilize next-generation AI capability to detect new variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily get by traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge technologies packaged within one agent accessible from a unified console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables rapid restoration of vital data, apps and VMs that have become unavailable or damaged due to component breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can deliver world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to deliver web-based control and world-class security for your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of analysis for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map out, track, optimize and troubleshoot their networking hardware such as routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that require critical updates, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT personnel and your Progent consultant so any looming problems can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 Charlotte Crypto-Ransomware Repair Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.