Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses unprepared for an attack. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to inflict havoc. Newer strains of crypto-ransomware such as Ryuk and Hermes, along with frequent unnamed newcomers, not only encrypt on-line information but also infiltrate all accessible system protection. Information synchronized to the cloud can also be ransomed. In a vulnerable system, this can make automatic restoration impossible and effectively sets the network back to square one.

Retrieving services and information following a ransomware event becomes a race against time as the targeted organization tries its best to stop the spread and remove the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, assaults are usually sprung during weekends and nights, when attacks in many cases take longer to uncover. This compounds the difficulty of quickly assembling and organizing a knowledgeable mitigation team.

Progent has an assortment of help services for securing organizations from ransomware penetrations. These include team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security solutions with machine learning technology to automatically identify and extinguish day-zero threats. Progent also provides the assistance of experienced crypto-ransomware recovery consultants with the skills and commitment to re-deploy a breached system as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the keys to unencrypt any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the mission-critical components of your IT environment. Absent the availability of full information backups, this requires a broad range of skill sets, professional project management, and the ability to work continuously until the task is done.

For decades, Progent has provided certified expert IT services for companies in Houston and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise affords Progent the ability to knowledgably determine important systems and integrate the surviving components of your computer network system following a ransomware penetration and configure them into a functioning system.

Progent's ransomware group deploys powerful project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of working swiftly and in unison with a customerís management and Information Technology resources to prioritize tasks and to get key systems back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Restoration
A customer hired Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state sponsored hackers, suspected of adopting technology exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little room for disruption and is among the most lucrative instances of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with about 500 employees. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end made the decision to use Progent.


"I canít say enough in regards to the support Progent provided us throughout the most stressful period of (our) companyís life. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent group afforded us. That you were able to get our e-mail and key servers back faster than one week was earth shattering. Each person I spoke to or texted at Progent was amazingly focused on getting our system up and was working 24 by 7 on our behalf."

Progent worked together with the customer to quickly get our arms around and assign priority to the most important elements that needed to be recovered in order to restart departmental operations:

  • Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware penetration mitigation industry best practices by isolating and removing active viruses. Progent then initiated the work of recovering Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's MRP system used Microsoft SQL, which requires Windows AD for authentication to the data.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery of mission critical applications. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Folder Files) on staff workstations and laptops in order to recover email messages. A recent offline backup of the client's manufacturing systems made them able to return these required services back on-line. Although significant work remained to recover fully from the Ryuk event, core services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer orders."

Throughout the following couple of weeks critical milestones in the restoration process were accomplished in tight collaboration between Progent team members and the customer:

  • In-house web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were completely restored.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the user desktops were being used by staff.

"A lot of what occurred during the initial response is mostly a fog for me, but my management will not forget the dedication each and every one of the team accomplished to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A likely business-ending catastrophe was averted with dedicated professionals, a broad array of subject matter expertise, and tight collaboration. Although in retrospect the ransomware virus incident described here could have been prevented with current cyber security technology and security best practices, staff education, and appropriate incident response procedures for information protection and applying software patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for making it so I could get rested after we got past the most critical parts. All of you did an amazing effort, and if anyone is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Houston a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services include modern AI technology to detect new variants of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the entire threat progression including filtering, identification, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and allows fast recovery of vital files, apps and virtual machines that have become lost or damaged due to component breakdowns, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can deliver advanced expertise to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide web-based management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating tedious management activities, WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, locating appliances that need important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT staff and your assigned Progent engineering consultant so any potential problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to half of time spent trying to find vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Read more about ProSight IT Asset Management service.
For Houston 24/7/365 CryptoLocker Recovery Services, reach out to Progent at 800-993-9400 or go to Contact Progent.