Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that presents an existential danger for organizations vulnerable to an assault. Multiple generations of ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still cause harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus frequent as yet unnamed newcomers, not only encrypt on-line information but also infect most configured system restores and backups. Data synchronized to cloud environments can also be corrupted. In a vulnerable system, this can render automated restoration useless and effectively sets the datacenter back to zero.

Getting back on-line services and information following a crypto-ransomware intrusion becomes a sprint against time as the targeted business tries its best to contain and clear the crypto-ransomware and to restore mission-critical activity. Since crypto-ransomware takes time to move laterally, attacks are usually launched on weekends, when successful penetrations may take longer to detect. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable mitigation team.

Progent has a range of support services for securing organizations from ransomware events. These include team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with machine learning technology to intelligently discover and disable new threats. Progent also provides the services of veteran ransomware recovery professionals with the track record and perseverance to rebuild a compromised system as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will return the codes to unencrypt any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the critical parts of your IT environment. Absent the availability of essential information backups, this requires a broad complement of skill sets, well-coordinated project management, and the ability to work non-stop until the task is completed.

For two decades, Progent has offered certified expert IT services for companies in Lubbock and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to quickly identify critical systems and integrate the remaining components of your IT system after a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts has best of breed project management tools to coordinate the complicated restoration process. Progent appreciates the urgency of working rapidly and in unison with a client's management and IT staff to prioritize tasks and to get the most important systems back on-line as soon as humanly possible.

Customer Story: A Successful Crypto-Ransomware Virus Restoration
A small business hired Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, suspected of using algorithms exposed from Americaís National Security Agency. Ryuk seeks specific companies with little room for operational disruption and is one of the most profitable iterations of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing processes. The majority of the client's backups had been online at the beginning of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.


"I canít speak enough about the expertise Progent provided us throughout the most critical period of (our) companyís life. We most likely would have paid the cybercriminals if not for the confidence the Progent group gave us. The fact that you could get our e-mail system and essential applications back on-line sooner than 1 week was incredible. Each expert I worked with or messaged at Progent was urgently focused on getting us back online and was working at all hours to bail us out."

Progent worked together with the client to quickly determine and prioritize the critical areas that needed to be recovered in order to resume business operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the task of restoring Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businessesí MRP software utilized Microsoft SQL, which requires Active Directory for security authorization to the data.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then performed reinstallations and hard drive recovery of the most important systems. All Exchange schema and configuration information were usable, which accelerated the restore of Exchange. Progent was able to find intact OST files (Microsoft Outlook Offline Folder Files) on team PCs and laptops in order to recover mail messages. A not too old off-line backup of the customerís financials/ERP systems made it possible to return these required services back online for users. Although significant work remained to recover totally from the Ryuk event, critical systems were restored rapidly:


"For the most part, the production line operation was never shut down and we made all customer deliverables."

Throughout the following couple of weeks critical milestones in the restoration project were achieved through close collaboration between Progent consultants and the client:

  • Internal web applications were restored without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control modules were fully restored.
  • A new Palo Alto 850 security appliance was set up.
  • Ninety percent of the user PCs were operational.

"A huge amount of what went on in the early hours is mostly a fog for me, but I will not soon forget the dedication each and every one of you accomplished to give us our company back. I have been working with Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable business-killing disaster was dodged with hard-working professionals, a broad array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware attack described here should have been identified and blocked with modern security solutions and security best practices, user and IT administrator training, and properly executed security procedures for information protection and applying software patches, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for making it so I could get some sleep after we got through the first week. Everyone did an amazing effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Lubbock a portfolio of remote monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services include modern AI capability to uncover zero-day variants of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to automate the complete malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical in-depth protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with leading backup/restore technology providers to create ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and allow transparent backup and rapid restoration of important files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or software glitches. Managed services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver web-based control and world-class protection for all your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite gateway device adds a further level of analysis for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, monitor, optimize and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off common chores like network mapping, expanding your network, finding devices that need important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management personnel and your Progent engineering consultant so that any looming issues can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior-based analysis technology to defend endpoints and servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to automate the entire threat progression including protection, identification, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Call Center managed services permit your information technology group to offload Call Center services to Progent or split responsibilities for Service Desk support transparently between your in-house network support team and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SBEs). Progent's Co-managed Service Desk provides a smooth extension of your corporate support organization. End user access to the Help Desk, provision of support services, problem escalation, ticket creation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether issues are resolved by your internal IT support staff, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide businesses of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information network. In addition to maximizing the protection and reliability of your IT environment, Progent's patch management services free up time for your in-house IT team to focus on more strategic initiatives and tasks that derive the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo enables one-tap identity confirmation with iOS, Android, and other out-of-band devices. Using Duo 2FA, when you sign into a secured application and enter your password you are requested to verify your identity on a device that only you have and that uses a different ("out-of-band") network channel. A broad range of devices can be used as this added means of ID validation such as a smartphone or wearable, a hardware token, a landline phone, etc. You may register multiple verification devices. To find out more about Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication services.
For 24x7 Lubbock CryptoLocker Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.