Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an extinction-level danger for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to cause harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent as yet unnamed malware, not only encrypt on-line files but also infiltrate all accessible system backup. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, this can make automated restore operations hopeless and effectively knocks the network back to square one.

Retrieving programs and data following a ransomware outage becomes a race against the clock as the targeted business struggles to contain and cleanup the virus and to resume business-critical activity. Since crypto-ransomware requires time to replicate, assaults are often launched during weekends and nights, when successful penetrations in many cases take longer to recognize. This compounds the difficulty of quickly marshalling and orchestrating a qualified mitigation team.

Progent offers an assortment of help services for securing businesses from ransomware attacks. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with machine learning technology to rapidly detect and quarantine day-zero cyber attacks. Progent also provides the services of veteran ransomware recovery professionals with the talent and commitment to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the codes to decrypt any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the mission-critical parts of your Information Technology environment. Without access to essential system backups, this requires a broad complement of skills, professional project management, and the willingness to work non-stop until the task is over.

For two decades, Progent has offered professional IT services for businesses in San Antonio and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the ability to rapidly understand important systems and re-organize the remaining components of your Information Technology system after a ransomware event and rebuild them into a functioning network.

Progent's security group uses top notch project management tools to coordinate the sophisticated restoration process. Progent understands the importance of acting swiftly and together with a customerís management and IT team members to prioritize tasks and to get key systems back online as soon as humanly possible.

Case Study: A Successful Ransomware Incident Restoration
A business engaged Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored criminal gangs, possibly using algorithms exposed from the U.S. National Security Agency. Ryuk goes after specific companies with limited ability to sustain operational disruption and is among the most profitable iterations of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with around 500 workers. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. The majority of the client's information backups had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom demand (more than $200K) and praying for good luck, but ultimately called Progent.


"I cannot thank you enough in regards to the support Progent provided us throughout the most stressful period of (our) businesses life. We had little choice but to pay the hackers behind this attack if it wasnít for the confidence the Progent group afforded us. That you could get our e-mail and essential servers back into operation quicker than one week was something I thought impossible. Each staff member I interacted with or e-mailed at Progent was amazingly focused on getting my company operational and was working breakneck pace on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the key systems that needed to be restored to make it possible to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • MRP System
To start, Progent followed Anti-virus incident response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the work of bringing back online Microsoft AD, the core of enterprise environments built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the customerís accounting and MRP software utilized Microsoft SQL, which requires Active Directory services for authentication to the database.

Within two days, Progent was able to recover Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of critical servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Offline Folder Files) on team PCs to recover mail information. A not too old off-line backup of the businesses financials/MRP systems made it possible to recover these required applications back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk attack, core services were recovered quickly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer sales."

Throughout the next month critical milestones in the restoration project were made in close cooperation between Progent engineers and the customer:

  • Internal web applications were returned to operation without losing any information.
  • The MailStore Exchange Server with over four million historical messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were completely recovered.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Ninety percent of the user workstations were fully operational.

"A huge amount of what went on in the initial days is mostly a blur for me, but I will not forget the countless hours each of you put in to give us our business back. I have utilized Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered. This situation was a Herculean accomplishment."

Conclusion
A possible business-ending catastrophe was averted due to hard-working professionals, a broad range of IT skills, and tight teamwork. Although in post mortem the ransomware penetration detailed here should have been identified and prevented with advanced security systems and security best practices, user training, and well designed incident response procedures for backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thanks very much for letting me get some sleep after we got past the first week. Everyone did an amazing effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in San Antonio a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to automate the entire malware attack progression including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also assist you to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup processes and enable transparent backup and rapid restoration of important files, applications, system images, and virtual machines. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or application bugs. Managed services available in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security companies to deliver web-based management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, optimize and debug their networking appliances such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating time-consuming network management activities, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating devices that need critical software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT personnel and your assigned Progent engineering consultant so all potential issues can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can eliminate up to half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis technology to defend endpoints as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Call Center managed services allow your information technology group to outsource Help Desk services to Progent or split activity for Help Desk services transparently between your internal support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth supplement to your in-house network support resources. End user interaction with the Service Desk, delivery of support services, issue escalation, trouble ticket creation and updates, performance measurement, and management of the service database are consistent whether incidents are resolved by your internal network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic information system. Besides optimizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your IT team to concentrate on more strategic initiatives and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management services.
For 24-7 San Antonio Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.