Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that poses an existential danger for businesses of all sizes vulnerable to an assault. Different versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause harm. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with daily unnamed malware, not only encrypt on-line data files but also infect all configured system backup. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can make any recovery useless and basically knocks the entire system back to zero.

Getting back applications and information following a crypto-ransomware attack becomes a sprint against the clock as the targeted organization tries its best to stop the spread and clear the virus and to resume mission-critical activity. Because ransomware takes time to replicate, assaults are usually launched during weekends and nights, when penetrations typically take longer to discover. This multiplies the difficulty of rapidly assembling and coordinating a knowledgeable mitigation team.

Progent has a range of support services for protecting organizations from crypto-ransomware attacks. Among these are user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security gateways with AI technology to rapidly discover and extinguish zero-day threats. Progent also provides the services of experienced crypto-ransomware recovery engineers with the track record and perseverance to restore a breached network as soon as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the needed codes to decrypt any of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the mission-critical components of your Information Technology environment. Without the availability of essential information backups, this calls for a wide range of IT skills, well-coordinated team management, and the ability to work non-stop until the task is finished.

For decades, Progent has offered professional Information Technology services for businesses in Salt Lake City and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise affords Progent the capability to quickly determine important systems and consolidate the remaining components of your network system following a ransomware penetration and rebuild them into an operational system.

Progent's recovery team deploys state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of working quickly and together with a customerís management and IT team members to assign priority to tasks and to get critical applications back online as soon as humanly possible.

Case Study: A Successful Ransomware Virus Recovery
A business contacted Progent after their network was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, suspected of using techniques leaked from Americaís NSA organization. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most profitable incarnations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has about 500 employees. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's backups had been online at the time of the intrusion and were destroyed. The client was evaluating paying the ransom (more than $200K) and praying for good luck, but ultimately brought in Progent.


"I canít tell you enough in regards to the expertise Progent provided us during the most fearful period of (our) companyís existence. We may have had to pay the cyber criminals if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and production applications back into operation sooner than five days was earth shattering. Every single person I worked with or messaged at Progent was amazingly focused on getting us back on-line and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly assess and prioritize the mission critical systems that had to be restored in order to resume departmental functions:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To start, Progent adhered to Anti-virus event mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then started the steps of bringing back online Microsoft AD, the core of enterprise systems built on Microsoft technology. Exchange messaging will not work without AD, and the customerís MRP applications utilized Microsoft SQL Server, which depends on Active Directory for authentication to the data.

Within 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery on critical systems. All Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Data Files) on team workstations to recover mail messages. A not too old offline backup of the client's financials/ERP software made it possible to return these essential programs back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk virus, core services were recovered rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer shipments."

During the next few weeks important milestones in the restoration process were completed in tight collaboration between Progent team members and the client:

  • In-house web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the desktops and laptops were fully operational.

"A lot of what happened those first few days is nearly entirely a haze for me, but I will not forget the commitment all of you accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A possible business-killing catastrophe was evaded with hard-working experts, a broad array of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware incident described here would have been disabled with modern security technology solutions and best practices, user and IT administrator training, and appropriate incident response procedures for information protection and applying software patches, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thanks very much for making it so I could get rested after we got over the initial push. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Salt Lake City a range of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate modern AI capability to detect new variants of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering via cutting-edge tools packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with government and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates and monitors your backup processes and enables fast recovery of vital data, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery consultants can provide world-class support to set up ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can help you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to provide centralized management and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of analysis for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, track, optimize and debug their connectivity appliances like switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always current, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, locating appliances that need critical software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT personnel and your assigned Progent consultant so all potential issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For Salt Lake City 24/7/365 Ransomware Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.