Ransomware : Your Feared IT Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause damage. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as additional unnamed malware, not only encrypt on-line data but also infiltrate any available system protection. Information replicated to the cloud can also be encrypted. In a poorly designed environment, it can make any restoration hopeless and basically knocks the network back to zero.

Retrieving programs and information after a crypto-ransomware outage becomes a sprint against time as the targeted business fights to contain the damage and clear the ransomware and to restore business-critical operations. Since crypto-ransomware needs time to move laterally, assaults are usually launched during nights and weekends, when penetrations are likely to take more time to notice. This compounds the difficulty of promptly marshalling and organizing a knowledgeable response team.

Progent makes available a range of help services for securing businesses from crypto-ransomware events. Among these are staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security solutions with artificial intelligence technology to intelligently identify and extinguish new cyber attacks. Progent also offers the assistance of experienced ransomware recovery consultants with the talent and commitment to restore a breached system as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the codes to unencrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the vital elements of your Information Technology environment. Absent the availability of full system backups, this requires a wide range of IT skills, well-coordinated team management, and the willingness to work continuously until the task is done.

For two decades, Progent has offered professional IT services for businesses in Raleigh and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably understand necessary systems and re-organize the surviving components of your computer network environment following a ransomware penetration and assemble them into an operational network.

Progent's security team of experts utilizes best of breed project management systems to coordinate the complex restoration process. Progent appreciates the urgency of working rapidly and in concert with a client's management and IT resources to assign priority to tasks and to get the most important applications back on-line as fast as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A business escalated to Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state hackers, suspected of adopting algorithms exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in Chicago with about 500 employees. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the intrusion and were encrypted. The client considered paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end made the decision to use Progent.


"I cannot tell you enough about the care Progent provided us throughout the most fearful time of (our) companyís survival. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent team provided us. The fact that you were able to get our e-mail and important applications back faster than seven days was amazing. Every single expert I got help from or messaged at Progent was laser focused on getting my company operational and was working day and night to bail us out."

Progent worked together with the client to rapidly understand and assign priority to the essential applications that had to be addressed in order to continue company functions:

  • Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware penetration mitigation best practices by isolating and cleaning up infected systems. Progent then started the task of bringing back online Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without AD, and the businessesí MRP software leveraged SQL Server, which needs Active Directory services for access to the data.

Within 2 days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then performed reinstallations and storage recovery on needed servers. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Off-Line Folder Files) on user workstations in order to recover mail messages. A recent off-line backup of the businesses accounting systems made it possible to return these essential applications back online for users. Although a large amount of work remained to recover fully from the Ryuk virus, essential services were returned to operations rapidly:


"For the most part, the manufacturing operation never missed a beat and we made all customer sales."

During the following couple of weeks critical milestones in the restoration process were completed in tight cooperation between Progent team members and the customer:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control modules were fully restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user workstations were being used by staff.

"A lot of what happened in the initial days is mostly a blur for me, but my team will not forget the urgency all of your team accomplished to help get our business back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible enterprise-killing disaster was dodged with dedicated professionals, a wide spectrum of knowledge, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware incident described here should have been identified and prevented with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well designed security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we made it over the first week. Everyone did an amazing job, and if any of your team is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Raleigh a range of remote monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to detect new variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the complete threat lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital files, applications and VMs that have become lost or corrupted due to component failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide world-class support to set up ProSight DPS to to comply with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to deliver centralized control and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, optimize and debug their networking appliances like switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are detected. By automating complex network management processes, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, finding devices that require critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT staff and your Progent consultant so any potential issues can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hardware solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about ProSight IT Asset Management service.
For Raleigh 24/7 Ransomware Cleanup Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.