Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for organizations unprepared for an attack. Different versions of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Newer variants of ransomware like Ryuk and Hermes, along with daily unnamed malware, not only do encryption of online files but also infiltrate most available system protection. Information synchronized to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make any restore operations useless and basically sets the datacenter back to square one.

Getting back on-line services and information after a crypto-ransomware outage becomes a sprint against the clock as the targeted business fights to contain the damage and eradicate the ransomware and to resume business-critical operations. Since ransomware requires time to spread, penetrations are usually launched at night, when successful penetrations typically take more time to recognize. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.

Progent provides an assortment of services for protecting organizations from crypto-ransomware events. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security gateways with artificial intelligence technology to automatically discover and disable new cyber attacks. Progent in addition can provide the services of seasoned ransomware recovery consultants with the track record and perseverance to re-deploy a breached system as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the essential components of your IT environment. Without the availability of full data backups, this requires a wide complement of skill sets, professional team management, and the capability to work continuously until the job is done.

For decades, Progent has provided certified expert Information Technology services for companies in Houston and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly identify important systems and re-organize the surviving parts of your computer network environment following a ransomware event and assemble them into an operational system.

Progent's security group uses best of breed project management applications to coordinate the complicated restoration process. Progent knows the urgency of acting rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to put essential applications back on line as soon as humanly possible.

Case Study: A Successful Ransomware Attack Response
A business escalated to Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with limited ability to sustain disruption and is among the most lucrative examples of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (exceeding $200,000) and praying for good luck, but ultimately engaged Progent.


"I canít thank you enough about the support Progent gave us during the most critical period of (our) companyís survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and essential applications back on-line in less than five days was earth shattering. Every single staff member I got help from or communicated with at Progent was laser focused on getting our system up and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly get our arms around and assign priority to the essential areas that had to be recovered in order to restart company operations:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To get going, Progent followed ransomware event response best practices by halting the spread and cleaning systems of viruses. Progent then initiated the process of bringing back online Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the client's financials and MRP applications used Microsoft SQL, which needs Windows AD for authentication to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then assisted with setup and hard drive recovery on essential servers. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Offline Folder Files) on team workstations to recover mail information. A not too old offline backup of the customerís financials/MRP systems made them able to return these vital services back online. Although a large amount of work was left to recover fully from the Ryuk attack, essential systems were returned to operations quickly:


"For the most part, the production operation showed little impact and we delivered all customer orders."

Over the following few weeks critical milestones in the restoration process were achieved in tight collaboration between Progent engineers and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Server with over 4 million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Ninety percent of the user desktops were functioning as before the incident.

"Much of what went on during the initial response is mostly a fog for me, but I will not forget the urgency all of the team accomplished to help get our business back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A possible business-killing disaster was averted through the efforts of hard-working experts, a wide array of knowledge, and close teamwork. Although in post mortem the ransomware virus attack detailed here could have been prevented with advanced cyber security technology and best practices, user and IT administrator training, and well designed incident response procedures for data backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for letting me get some sleep after we got past the first week. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Houston a range of online monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services incorporate modern AI technology to uncover new variants of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to manage the complete malware attack progression including protection, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and allows fast recovery of vital data, apps and virtual machines that have become lost or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can deliver advanced support to configure ProSight DPS to be compliant with regulatory standards such as HIPPA, FINRA, and PCI and, when necessary, can assist you to restore your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to deliver web-based management and world-class protection for your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most threats from making it to your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require important updates, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management staff and your Progent consultant so any looming problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about ProSight IT Asset Management service.
For 24x7 Houston Ransomware Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.