Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an extinction-level danger for organizations vulnerable to an attack. Multiple generations of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. Recent strains of ransomware such as Ryuk and Hermes, along with more unnamed newcomers, not only do encryption of on-line data files but also infiltrate many available system backups. Files synched to the cloud can also be ransomed. In a vulnerable system, it can make automated recovery impossible and basically sets the datacenter back to zero.

Getting back on-line services and information after a ransomware event becomes a sprint against time as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to restore business-critical operations. Since ransomware needs time to spread, attacks are usually sprung during nights and weekends, when successful penetrations tend to take longer to recognize. This compounds the difficulty of quickly assembling and coordinating a capable mitigation team.

Progent has an assortment of support services for securing organizations from crypto-ransomware events. These include team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with artificial intelligence capabilities to automatically identify and disable new cyber attacks. Progent in addition can provide the assistance of expert ransomware recovery consultants with the talent and commitment to rebuild a breached system as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware attack, sending the ransom in cryptocurrency does not guarantee that merciless criminals will return the keys to unencrypt all your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to piece back together the critical elements of your Information Technology environment. Without access to essential data backups, this calls for a broad range of IT skills, top notch team management, and the capability to work non-stop until the job is complete.

For twenty years, Progent has offered professional IT services for businesses in Lower Manhattan and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to efficiently understand important systems and consolidate the remaining pieces of your computer network system after a ransomware penetration and configure them into an operational network.

Progent's ransomware team of experts utilizes state-of-the-art project management tools to coordinate the complicated restoration process. Progent understands the urgency of working rapidly and together with a client's management and Information Technology team members to assign priority to tasks and to get the most important systems back on line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Virus Response
A business contacted Progent after their company was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean state hackers, suspected of using algorithms exposed from Americaís National Security Agency. Ryuk seeks specific businesses with limited room for disruption and is among the most profitable iterations of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has around 500 staff members. The Ryuk attack had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the attack and were encrypted. The client considered paying the ransom demand (in excess of $200,000) and praying for the best, but in the end engaged Progent.


"I canít speak enough in regards to the expertise Progent gave us throughout the most fearful period of (our) businesses life. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent group gave us. That you could get our e-mail and important servers back sooner than a week was incredible. Every single consultant I talked with or messaged at Progent was absolutely committed on getting us working again and was working day and night on our behalf."

Progent worked hand in hand the customer to rapidly understand and assign priority to the most important services that had to be addressed in order to restart business functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes event response industry best practices by isolating and removing active viruses. Progent then began the task of restoring Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not work without AD, and the customerís financials and MRP system utilized Microsoft SQL Server, which depends on Active Directory services for authentication to the information.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then completed rebuilding and hard drive recovery of essential systems. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Data Files) on various PCs to recover mail data. A recent off-line backup of the client's manufacturing software made it possible to recover these required services back on-line. Although a large amount of work remained to recover fully from the Ryuk virus, essential services were recovered rapidly:


"For the most part, the production manufacturing operation survived unscathed and we delivered all customer shipments."

Throughout the next month key milestones in the recovery process were completed through close collaboration between Progent consultants and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were 100% restored.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Most of the desktop computers were operational.

"So much of what transpired those first few days is nearly entirely a blur for me, but my management will not forget the dedication all of your team put in to help get our business back. Iíve been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This time was the most impressive ever."

Conclusion
A likely business-killing disaster was dodged by top-tier professionals, a wide spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here could have been prevented with advanced security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and properly executed incident response procedures for data backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thanks very much for making it so I could get some sleep after we made it through the most critical parts. Everyone did an incredible effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Lower Manhattan a portfolio of remote monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services include modern AI technology to uncover zero-day variants of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely escape legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire malware attack lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of critical files, applications and virtual machines that have become unavailable or damaged as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can help you to restore your business-critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to deliver centralized control and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further level of analysis for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and load balancers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding appliances that require critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network running efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so all potential problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For Lower Manhattan 24x7x365 Ransomware Removal Services, call Progent at 800-993-9400 or go to Contact Progent.