Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for organizations poorly prepared for an assault. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict destruction. The latest variants of ransomware like Ryuk and Hermes, along with more as yet unnamed viruses, not only encrypt on-line critical data but also infiltrate any accessible system protection mechanisms. Data synchronized to the cloud can also be rendered useless. In a poorly designed data protection solution, it can render automated recovery useless and effectively sets the network back to zero.

Getting back services and data following a ransomware outage becomes a sprint against time as the targeted business tries its best to contain the damage and cleanup the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are usually sprung during weekends and nights, when penetrations tend to take more time to recognize. This compounds the difficulty of promptly mobilizing and orchestrating an experienced response team.

Progent offers a range of solutions for protecting enterprises from ransomware penetrations. Among these are staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence capabilities to rapidly identify and quarantine zero-day cyber threats. Progent also can provide the services of expert ransomware recovery professionals with the track record and perseverance to restore a compromised system as quickly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decrypt all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the vital components of your Information Technology environment. Without access to complete information backups, this requires a wide range of skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is complete.

For decades, Progent has provided professional Information Technology services for businesses in Philadelphia and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience gives Progent the ability to rapidly ascertain critical systems and re-organize the remaining parts of your computer network environment following a ransomware attack and assemble them into a functioning system.

Progent's security team utilizes best of breed project management systems to coordinate the complex recovery process. Progent appreciates the urgency of working rapidly and in concert with a client's management and IT staff to prioritize tasks and to get key applications back online as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Virus Response
A small business escalated to Progent after their network was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state hackers, possibly adopting technology leaked from the U.S. NSA organization. Ryuk goes after specific companies with little room for operational disruption and is one of the most profitable incarnations of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately engaged Progent.


"I cannot say enough about the support Progent provided us throughout the most stressful period of (our) businesses life. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent experts gave us. The fact that you could get our messaging and key applications back on-line quicker than 1 week was incredible. Every single expert I spoke to or texted at Progent was laser focused on getting us restored and was working 24/7 to bail us out."

Progent worked together with the customer to quickly get our arms around and assign priority to the essential applications that had to be addressed to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes event response industry best practices by stopping the spread and removing active viruses. Progent then initiated the steps of recovering Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the client's financials and MRP system utilized SQL Server, which depends on Windows AD for access to the data.

Within two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with setup and storage recovery on key servers. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Data Files) on user workstations and laptops to recover mail information. A recent off-line backup of the customerís financials/MRP software made it possible to return these required programs back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk attack, the most important systems were restored quickly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer deliverables."

Over the next few weeks key milestones in the recovery process were achieved through tight collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully restored.
  • A new Palo Alto Networks 850 firewall was set up.
  • Ninety percent of the desktop computers were operational.

"A huge amount of what was accomplished those first few days is nearly entirely a haze for me, but we will not soon forget the care all of you accomplished to give us our company back. Iíve entrusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This event was the most impressive ever."

Conclusion
A likely business disaster was dodged through the efforts of top-tier professionals, a broad spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here could have been stopped with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, staff training, and appropriate incident response procedures for data protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thanks very much for making it so I could get some sleep after we got over the initial push. All of you did an impressive job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Philadelphia a range of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to detect new strains of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to address the complete threat progression including filtering, detection, containment, remediation, and forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital files, apps and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight DPS to to comply with regulatory requirements such as HIPPA, FIRPA, and PCI and, when necessary, can help you to restore your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security vendors to provide centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, track, enhance and troubleshoot their networking hardware such as routers and switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates notices when issues are discovered. By automating tedious management processes, WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating devices that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT staff and your Progent consultant so all looming issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can save up to 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24x7x365 Philadelphia Crypto Recovery Services, call Progent at 800-993-9400 or go to Contact Progent.