Ransomware : Your Feared IT Disaster
Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that presents an enterprise-level danger for businesses unprepared for an attack. Versions of crypto-ransomware like the Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict havoc. More recent strains of ransomware such as Ryuk and Hermes, along with more as yet unnamed newcomers, not only encrypt online data files but also infiltrate many accessible system protection mechanisms. Information synched to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can make any restore operations impossible and effectively knocks the datacenter back to square one.

Getting back on-line services and information following a ransomware attack becomes a sprint against the clock as the targeted business fights to stop the spread and clear the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, assaults are usually launched during weekends and nights, when attacks tend to take longer to discover. This multiplies the difficulty of rapidly assembling and orchestrating a capable response team.

Progent has a variety of services for protecting enterprises from ransomware events. These include user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with artificial intelligence capabilities to rapidly identify and extinguish zero-day cyber threats. Progent in addition provides the services of seasoned ransomware recovery consultants with the track record and commitment to restore a breached environment as soon as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the codes to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the essential elements of your IT environment. Absent the availability of essential information backups, this requires a broad range of skills, professional project management, and the ability to work 24x7 until the task is finished.

For twenty years, Progent has offered professional IT services for businesses in St. Louis and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of experience provides Progent the capability to quickly determine necessary systems and re-organize the surviving pieces of your IT environment following a ransomware event and assemble them into an operational system.

Progent's ransomware team of experts uses best of breed project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of acting quickly and in unison with a client's management and IT resources to prioritize tasks and to get key services back online as soon as possible.

Client Story: A Successful Ransomware Penetration Recovery
A client sought out Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored cybercriminals, possibly adopting approaches exposed from the United States NSA organization. Ryuk targets specific businesses with limited ability to sustain disruption and is one of the most lucrative instances of ransomware malware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200K) and praying for the best, but in the end reached out to Progent.


"I cannot say enough in regards to the care Progent gave us during the most stressful period of (our) companyís survival. We may have had to pay the Hackers if it wasnít for the confidence the Progent team provided us. The fact that you could get our e-mail system and essential servers back quicker than seven days was amazing. Every single expert I interacted with or texted at Progent was urgently focused on getting our system up and was working day and night to bail us out."

Progent worked with the client to quickly get our arms around and prioritize the essential systems that had to be restored in order to restart departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent followed ransomware event response best practices by halting the spread and disinfecting systems. Progent then started the work of restoring Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange messaging will not operate without AD, and the client's accounting and MRP system utilized Microsoft SQL, which needs Active Directory for security authorization to the databases.

Within two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then charged ahead with setup and hard drive recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Offline Folder Files) on various workstations and laptops in order to recover mail messages. A recent offline backup of the customerís manufacturing systems made it possible to recover these required programs back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, core systems were recovered rapidly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."

During the next month important milestones in the restoration process were accomplished in tight collaboration between Progent team members and the customer:

  • Internal web sites were restored without losing any information.
  • The MailStore Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were fully operational.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the user PCs were being used by staff.

"A lot of what was accomplished those first few days is nearly entirely a haze for me, but our team will not soon forget the care each and every one of your team put in to give us our business back. I have entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A probable company-ending disaster was averted through the efforts of top-tier experts, a wide range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been shut down with up-to-date cyber security solutions and recognized best practices, user education, and properly executed security procedures for data backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get rested after we made it over the initial fire. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in St. Louis a variety of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence technology to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire malware attack progression including protection, identification, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering via leading-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup processes and enables fast recovery of critical data, apps and VMs that have become lost or corrupted due to component breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPPA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide centralized control and world-class protection for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, track, enhance and troubleshoot their networking hardware such as routers, firewalls, and access points as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that require critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT personnel and your assigned Progent consultant so any potential issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By cleaning up and managing your network documentation, you can save up to 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24x7 St. Louis Crypto-Ransomware Remediation Services, reach out to Progent at 800-993-9400 or go to Contact Progent.