Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that poses an extinction-level threat for organizations poorly prepared for an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause destruction. More recent strains of ransomware such as Ryuk and Hermes, along with daily as yet unnamed malware, not only do encryption of on-line information but also infiltrate most accessible system protection mechanisms. Information replicated to the cloud can also be ransomed. In a vulnerable data protection solution, this can make any recovery useless and effectively sets the network back to square one.

Getting back online programs and information after a crypto-ransomware outage becomes a race against the clock as the targeted business struggles to contain and remove the ransomware and to resume mission-critical operations. Since ransomware requires time to replicate, penetrations are usually sprung on weekends, when attacks tend to take longer to identify. This compounds the difficulty of promptly assembling and organizing an experienced response team.

Progent makes available a range of solutions for securing organizations from ransomware events. Among these are staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with machine learning capabilities to rapidly detect and extinguish day-zero cyber threats. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the talent and commitment to restore a compromised network as soon as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to decipher any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the mission-critical elements of your IT environment. Absent the availability of essential information backups, this calls for a wide complement of skill sets, top notch team management, and the ability to work continuously until the job is complete.

For decades, Progent has provided certified expert Information Technology services for companies in Philadelphia and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably understand important systems and consolidate the remaining parts of your computer network environment following a ransomware event and configure them into an operational system.

Progent's recovery team uses state-of-the-art project management systems to orchestrate the complex restoration process. Progent appreciates the importance of working rapidly and together with a customerís management and IT team members to prioritize tasks and to get the most important services back online as soon as possible.

Client Case Study: A Successful Ransomware Virus Restoration
A small business escalated to Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored hackers, possibly using technology exposed from Americaís National Security Agency. Ryuk targets specific organizations with limited tolerance for disruption and is among the most lucrative iterations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has around 500 employees. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end utilized Progent.


"I canít tell you enough about the support Progent gave us during the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals if not for the confidence the Progent experts provided us. That you were able to get our e-mail system and critical servers back online in less than five days was beyond my wildest dreams. Each expert I spoke to or texted at Progent was absolutely committed on getting us operational and was working 24 by 7 on our behalf."

Progent worked with the customer to rapidly understand and assign priority to the mission critical services that had to be addressed in order to resume business operations:

  • Microsoft Active Directory
  • Electronic Messaging
  • Accounting/MRP
To begin, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then began the work of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the client's financials and MRP system leveraged Microsoft SQL, which needs Active Directory services for access to the data.

In less than 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then completed setup and storage recovery on critical systems. All Exchange schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on user desktop computers and laptops to recover mail messages. A recent offline backup of the customerís financials/MRP systems made them able to recover these essential applications back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, the most important systems were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer orders."

Over the following couple of weeks key milestones in the recovery project were made through tight cooperation between Progent team members and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over four million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was brought online.
  • 90% of the desktop computers were being used by staff.

"A huge amount of what happened in the initial days is nearly entirely a haze for me, but we will not forget the countless hours all of your team accomplished to help get our company back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."

Conclusion
A possible business extinction catastrophe was avoided through the efforts of dedicated experts, a wide array of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware incident detailed here could have been blocked with modern cyber security technology and best practices, user training, and appropriate incident response procedures for data backup and applying software patches, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thank you for making it so I could get some sleep after we made it over the initial fire. All of you did an amazing job, and if anyone is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Philadelphia a variety of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services incorporate modern machine learning capability to detect new strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a single platform to manage the entire threat progression including filtering, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent can also assist you to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. For a low monthly rate, ProSight DPS automates and monitors your backup processes and allows fast recovery of vital data, apps and VMs that have become lost or damaged as a result of component breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to deliver centralized control and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map, monitor, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding appliances that need important updates, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so any looming problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate as much as half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Learn more about ProSight IT Asset Management service.
For 24/7 Philadelphia CryptoLocker Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.