Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that poses an enterprise-level threat for businesses unprepared for an assault. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with daily as yet unnamed malware, not only encrypt online critical data but also infect any configured system restores and backups. Information synchronized to the cloud can also be ransomed. In a vulnerable data protection solution, it can make automated restore operations impossible and basically knocks the entire system back to square one.

Restoring programs and information after a ransomware attack becomes a race against the clock as the targeted organization struggles to stop the spread and cleanup the virus and to resume enterprise-critical activity. Since crypto-ransomware needs time to move laterally, attacks are often launched on weekends, when successful attacks may take longer to identify. This compounds the difficulty of promptly assembling and organizing a qualified mitigation team.

Progent offers a variety of support services for protecting organizations from ransomware events. Among these are user training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence technology to quickly discover and extinguish new threats. Progent also can provide the services of expert ransomware recovery consultants with the track record and perseverance to reconstruct a breached system as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the codes to decipher any or all of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the vital elements of your IT environment. Absent access to essential system backups, this calls for a broad complement of skills, top notch project management, and the ability to work non-stop until the job is done.

For two decades, Progent has made available expert IT services for businesses in Richmond and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of expertise provides Progent the skills to quickly identify necessary systems and integrate the surviving parts of your computer network system following a ransomware event and rebuild them into an operational system.

Progent's security team deploys powerful project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of acting quickly and together with a client's management and IT staff to assign priority to tasks and to get essential applications back on-line as fast as possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A business escalated to Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state criminal gangs, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk attacks specific companies with limited tolerance for disruption and is among the most lucrative iterations of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. Most of the client's backups had been on-line at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and hoping for good luck, but ultimately made the decision to use Progent.


"I cannot thank you enough in regards to the expertise Progent provided us during the most fearful time of (our) businesses life. We had little choice but to pay the hackers behind this attack if it wasnít for the confidence the Progent experts provided us. That you could get our messaging and critical applications back on-line in less than five days was earth shattering. Every single expert I worked with or e-mailed at Progent was absolutely committed on getting us back online and was working at all hours to bail us out."

Progent worked hand in hand the customer to quickly understand and assign priority to the mission critical applications that had to be addressed in order to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent followed AV/Malware Processes incident mitigation best practices by stopping the spread and clearing up compromised systems. Progent then began the process of restoring Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the client's financials and MRP applications utilized SQL Server, which needs Active Directory services for authentication to the databases.

Within two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery on critical servers. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Folder Files) on staff PCs in order to recover email messages. A recent off-line backup of the customerís accounting/MRP software made them able to return these essential programs back online. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, the most important systems were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer deliverables."

Throughout the following few weeks key milestones in the restoration project were accomplished through close cooperation between Progent team members and the customer:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Server exceeding four million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully restored.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the user desktops were being used by staff.

"A lot of what happened those first few days is mostly a fog for me, but my management will not soon forget the commitment each of you put in to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business disaster was dodged by dedicated professionals, a broad array of subject matter expertise, and tight teamwork. Although in hindsight the crypto-ransomware virus attack detailed here would have been identified and prevented with up-to-date security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well designed security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), Iím grateful for letting me get rested after we made it past the first week. All of you did an fabulous effort, and if anyone is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Richmond a variety of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services utilize modern artificial intelligence capability to uncover new variants of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including protection, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP environment that addresses your company's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent action. Progent can also assist you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates your backup activities and allows rapid recovery of critical files, apps and VMs that have become unavailable or damaged due to component failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security companies to deliver centralized control and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, locating appliances that need important updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system running efficiently by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT management personnel and your Progent engineering consultant so that all potential problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.
For Richmond 24x7x365 Crypto-Ransomware Removal Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.