Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes unprepared for an assault. Different versions of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and still cause havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, plus frequent as yet unnamed malware, not only encrypt on-line critical data but also infect any available system backups. Data synched to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, this can render any restoration hopeless and effectively sets the datacenter back to square one.

Restoring applications and data after a ransomware attack becomes a race against the clock as the victim tries its best to contain the damage and cleanup the crypto-ransomware and to resume mission-critical operations. Because crypto-ransomware takes time to move laterally, assaults are often launched on weekends and holidays, when successful attacks in many cases take longer to uncover. This multiplies the difficulty of promptly marshalling and coordinating an experienced response team.

Progent makes available a variety of support services for protecting organizations from ransomware events. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with AI technology to quickly identify and extinguish new threats. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the skills and perseverance to reconstruct a breached environment as soon as possible.

Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the codes to decrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the key parts of your IT environment. Without access to full data backups, this calls for a wide complement of skill sets, top notch project management, and the willingness to work non-stop until the task is done.

For decades, Progent has made available expert Information Technology services for businesses in Leeds and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently identify critical systems and organize the surviving components of your network system following a ransomware attack and assemble them into an operational system.

Progent's recovery team of experts uses top notch project management systems to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and Information Technology team members to prioritize tasks and to put essential applications back online as soon as humanly possible.

Client Story: A Successful Ransomware Virus Restoration
A small business engaged Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean government sponsored criminal gangs, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk goes after specific organizations with limited room for disruption and is among the most profitable iterations of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately reached out to Progent.


"I canít speak enough in regards to the help Progent provided us during the most stressful period of (our) businesses existence. We had little choice but to pay the Hackers if not for the confidence the Progent team afforded us. That you could get our e-mail system and critical applications back online in less than seven days was something I thought impossible. Every single expert I spoke to or texted at Progent was totally committed on getting our system up and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and prioritize the most important systems that needed to be recovered in order to continue company operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • MRP System
To start, Progent followed ransomware penetration mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then began the work of rebuilding Microsoft AD, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the businessesí MRP software leveraged Microsoft SQL, which requires Active Directory for access to the data.

Within two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then completed setup and storage recovery of essential applications. All Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Data Files) on various desktop computers and laptops in order to recover mail data. A recent offline backup of the businesses accounting/MRP systems made them able to return these required programs back online for users. Although major work was left to recover fully from the Ryuk damage, the most important services were returned to operations rapidly:


"For the most part, the production operation survived unscathed and we produced all customer deliverables."

Throughout the next month critical milestones in the recovery process were achieved in tight cooperation between Progent consultants and the customer:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the user PCs were fully operational.

"So much of what occurred in the early hours is nearly entirely a blur for me, but we will not forget the commitment all of you put in to give us our business back. Iíve been working together with Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible company-ending disaster was evaded due to dedicated experts, a broad range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here would have been blocked with advanced cyber security technology solutions and recognized best practices, team education, and properly executed security procedures for data backup and proper patching controls, the reality is that government-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get rested after we made it through the initial push. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Leeds a variety of remote monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services utilize next-generation machine learning capability to uncover zero-day variants of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your company's specific needs and that helps you prove compliance with government and industry data protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent action. Progent can also help you to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. For a low monthly rate, ProSight DPS automates and monitors your backup activities and enables rapid restoration of vital files, apps and virtual machines that have become unavailable or damaged as a result of component failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's BDR consultants can deliver advanced support to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to restore your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to deliver centralized control and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, enhance and debug their connectivity appliances like routers and switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating tedious network management processes, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that require important software patches, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management staff and your Progent consultant so that all looming issues can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save up to half of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 Leeds CryptoLocker Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.