Ransomware : Your Feared IT Catastrophe
Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that poses an enterprise-level threat for businesses unprepared for an assault. Different versions of ransomware such as Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for many years and still cause harm. Newer variants of crypto-ransomware such as Ryuk and Hermes, as well as frequent unnamed viruses, not only encrypt online data files but also infect any available system backup. Data synched to the cloud can also be corrupted. In a poorly designed data protection solution, this can make automatic restore operations hopeless and basically sets the datacenter back to zero.

Recovering services and information after a crypto-ransomware attack becomes a race against the clock as the targeted organization tries its best to contain the damage and remove the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware takes time to spread, attacks are usually sprung on weekends, when successful attacks typically take longer to uncover. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.

Progent provides an assortment of solutions for securing businesses from ransomware attacks. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security gateways with machine learning capabilities to rapidly discover and disable zero-day cyber threats. Progent in addition provides the services of veteran ransomware recovery engineers with the skills and commitment to re-deploy a compromised network as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decrypt any or all of your files. Kaspersky determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the vital components of your Information Technology environment. Absent access to full information backups, this calls for a broad range of skill sets, professional project management, and the ability to work non-stop until the task is complete.

For decades, Progent has provided certified expert IT services for companies in San Antonio and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly determine necessary systems and re-organize the surviving pieces of your Information Technology system following a ransomware event and assemble them into an operational system.

Progent's ransomware team deploys top notch project management applications to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and in concert with a customerís management and IT team members to prioritize tasks and to get essential systems back on-line as fast as possible.

Client Story: A Successful Crypto-Ransomware Virus Recovery
A small business contacted Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored hackers, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk goes after specific businesses with limited tolerance for operational disruption and is among the most profitable incarnations of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago and has around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I cannot thank you enough about the expertise Progent gave us throughout the most critical time of (our) companyís survival. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. That you were able to get our e-mail and key applications back online in less than a week was beyond my wildest dreams. Every single consultant I got help from or messaged at Progent was laser focused on getting my company operational and was working 24/7 on our behalf."

Progent worked with the customer to quickly identify and assign priority to the essential applications that had to be recovered in order to resume business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then began the process of bringing back online Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not work without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL Server, which requires Windows AD for security authorization to the data.

In less than two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then accomplished setup and storage recovery of critical systems. All Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Offline Data Files) on team desktop computers in order to recover mail messages. A not too old off-line backup of the client's financials/MRP systems made them able to recover these essential applications back available to users. Although a large amount of work was left to recover totally from the Ryuk virus, core services were returned to operations rapidly:


"For the most part, the assembly line operation did not miss a beat and we made all customer deliverables."

Throughout the next few weeks critical milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Exchange Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory functions were fully recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • Ninety percent of the desktop computers were being used by staff.

"A lot of what went on in the early hours is mostly a fog for me, but I will not forget the countless hours each and every one of you accomplished to give us our business back. I have been working together with Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A likely business-ending catastrophe was evaded with results-oriented professionals, a wide array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware incident detailed here should have been shut down with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and properly executed security procedures for backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get some sleep after we made it past the first week. All of you did an amazing job, and if anyone is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in San Antonio a range of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to detect new variants of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily get by legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including filtering, identification, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also assist your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates your backup activities and enables rapid restoration of critical data, applications and VMs that have become unavailable or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced support to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and world-class protection for your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway device adds a further level of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, monitor, optimize and debug their connectivity hardware such as routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious network management activities, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding appliances that require critical updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT personnel and your Progent engineering consultant so that any looming issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save up to half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 San Antonio CryptoLocker Recovery Help, call Progent at 800-993-9400 or go to Contact Progent.