Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an existential danger for organizations poorly prepared for an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to cause damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional as yet unnamed malware, not only encrypt on-line data files but also infiltrate many available system protection. Information synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, it can make automatic restore operations impossible and basically knocks the network back to square one.

Getting back online applications and data after a ransomware outage becomes a sprint against time as the targeted organization struggles to stop the spread and cleanup the ransomware and to restore enterprise-critical operations. Since ransomware takes time to move laterally, penetrations are usually sprung during weekends and nights, when successful penetrations are likely to take longer to uncover. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable response team.

Progent offers a variety of solutions for securing organizations from crypto-ransomware events. Among these are team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with machine learning capabilities to intelligently detect and disable new threats. Progent also can provide the services of experienced ransomware recovery consultants with the skills and commitment to reconstruct a breached environment as rapidly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the codes to decipher any of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the critical elements of your IT environment. Absent the availability of essential system backups, this calls for a wide complement of IT skills, well-coordinated project management, and the willingness to work non-stop until the recovery project is over.

For twenty years, Progent has made available professional IT services for businesses in Joinville and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of expertise gives Progent the skills to quickly understand important systems and consolidate the remaining components of your network environment following a crypto-ransomware attack and assemble them into a functioning system.

Progent's ransomware group uses best of breed project management applications to orchestrate the complicated recovery process. Progent knows the importance of working quickly and together with a customerís management and Information Technology team members to assign priority to tasks and to get the most important services back online as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A business hired Progent after their network system was attacked by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored cybercriminals, possibly using technology leaked from the U.S. National Security Agency. Ryuk seeks specific companies with limited room for disruption and is among the most profitable instances of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk attack had shut down all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and praying for the best, but ultimately brought in Progent.


"I cannot say enough in regards to the support Progent gave us throughout the most critical time of (our) companyís life. We had little choice but to pay the cyber criminals except for the confidence the Progent team provided us. That you were able to get our e-mail system and important applications back into operation faster than one week was something I thought impossible. Each person I interacted with or communicated with at Progent was laser focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to rapidly identify and assign priority to the critical elements that had to be restored in order to resume business operations:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to Anti-virus event mitigation best practices by halting lateral movement and removing active viruses. Progent then initiated the task of bringing back online Microsoft AD, the core of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí financials and MRP system used Microsoft SQL, which requires Windows AD for security authorization to the database.

Within two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then accomplished setup and hard drive recovery on key systems. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Data Files) on staff workstations to recover mail messages. A recent off-line backup of the businesses accounting/MRP systems made it possible to restore these vital services back online. Although a lot of work needed to be completed to recover fully from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer orders."

Over the following couple of weeks key milestones in the recovery process were accomplished through close cooperation between Progent consultants and the client:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Server with over 4 million historical messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory modules were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the desktops and laptops were operational.

"Much of what was accomplished in the initial days is nearly entirely a haze for me, but I will not forget the care each of the team put in to help get our company back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has come through and delivered as promised. This situation was a life saver."

Conclusion
A possible enterprise-killing disaster was dodged with top-tier experts, a broad array of IT skills, and tight teamwork. Although in post mortem the crypto-ransomware incident detailed here should have been disabled with modern cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for allowing me to get some sleep after we got over the first week. Everyone did an incredible effort, and if any of your team is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Joinville a portfolio of online monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services incorporate modern AI capability to uncover new variants of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and provides a unified platform to automate the entire threat lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable end-to-end solution for secure backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid recovery of vital files, apps and virtual machines that have become unavailable or damaged as a result of component failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can provide world-class support to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive security for your inbound and outbound email. The hybrid structure of Email Guard integrates cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device provides a further level of analysis for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, track, enhance and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when issues are discovered. By automating tedious network management activities, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding devices that need critical software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your network running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT staff and your assigned Progent consultant so that all looming problems can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
For Joinville 24-7 Ransomware Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.