Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that poses an enterprise-level danger for organizations unprepared for an attack. Versions of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily unnamed viruses, not only do encryption of online data files but also infiltrate many available system protection mechanisms. Files synchronized to cloud environments can also be rendered useless. In a poorly designed system, it can render automatic restore operations useless and basically sets the datacenter back to zero.

Retrieving services and data after a crypto-ransomware outage becomes a race against time as the victim tries its best to contain and clear the ransomware and to restore mission-critical operations. Due to the fact that ransomware takes time to replicate, penetrations are frequently launched during weekends and nights, when penetrations in many cases take more time to recognize. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.

Progent makes available a range of services for securing enterprises from ransomware events. These include team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence technology to automatically detect and extinguish new cyber threats. Progent also offers the assistance of veteran ransomware recovery consultants with the track record and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the keys to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the key components of your IT environment. Without the availability of full data backups, this requires a broad range of skill sets, well-coordinated project management, and the ability to work continuously until the job is done.

For two decades, Progent has offered expert IT services for companies in Lubbock and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently understand necessary systems and integrate the remaining pieces of your network system following a ransomware penetration and rebuild them into an operational system.

Progent's ransomware group has best of breed project management tools to coordinate the sophisticated recovery process. Progent understands the urgency of acting rapidly and together with a client's management and IT team members to assign priority to tasks and to get key services back on line as soon as possible.

Customer Story: A Successful Ransomware Virus Restoration
A client hired Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored hackers, suspected of using technology exposed from Americaís National Security Agency. Ryuk goes after specific companies with little tolerance for disruption and is among the most profitable versions of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with about 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.


"I cannot say enough about the care Progent provided us during the most stressful time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent team afforded us. The fact that you could get our messaging and critical applications back into operation in less than seven days was earth shattering. Every single person I worked with or texted at Progent was hell bent on getting our system up and was working all day and night to bail us out."

Progent worked with the customer to quickly understand and assign priority to the mission critical services that had to be recovered to make it possible to resume company operations:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To start, Progent followed Anti-virus penetration mitigation best practices by halting the spread and removing active viruses. Progent then started the steps of recovering Microsoft AD, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customerís MRP system leveraged Microsoft SQL Server, which needs Active Directory for security authorization to the information.

In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of needed systems. All Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Off-Line Folder Files) on various workstations in order to recover mail data. A recent off-line backup of the client's accounting/ERP systems made it possible to return these required applications back on-line. Although a lot of work still had to be done to recover totally from the Ryuk event, essential services were returned to operations quickly:


"For the most part, the assembly line operation survived unscathed and we did not miss any customer sales."

During the following couple of weeks critical milestones in the recovery process were accomplished in close collaboration between Progent consultants and the client:

  • In-house web sites were restored without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory modules were fully functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the desktop computers were fully operational.

"So much of what happened during the initial response is nearly entirely a blur for me, but I will not soon forget the care each and every one of the team put in to give us our business back. Iíve been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible company-ending disaster was averted through the efforts of dedicated professionals, a wide array of technical expertise, and close teamwork. Although in post mortem the ransomware virus penetration detailed here should have been prevented with advanced cyber security solutions and security best practices, user education, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), Iím grateful for letting me get some sleep after we made it over the initial push. All of you did an incredible job, and if anyone is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Lubbock a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services include next-generation artificial intelligence technology to uncover new variants of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior analysis tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to address the entire malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP environment that meets your company's unique requirements and that helps you prove compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery. For a fixed monthly rate, ProSight DPS automates your backup activities and enables fast recovery of vital files, applications and VMs that have become unavailable or damaged due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can provide world-class support to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your business-critical information. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security vendors to deliver centralized management and world-class protection for your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity hardware like switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that need critical software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so any looming issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate as much as half of time thrown away looking for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Lubbock 24/7 Crypto Remediation Experts, call Progent at 800-993-9400 or go to Contact Progent.