Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an existential danger for organizations poorly prepared for an attack. Different versions of ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and continue to inflict havoc. The latest versions of crypto-ransomware like Ryuk and Hermes, along with more as yet unnamed newcomers, not only do encryption of online information but also infiltrate any configured system protection. Files synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected system, this can render any recovery useless and basically sets the entire system back to zero.

Recovering applications and data after a ransomware attack becomes a race against the clock as the targeted organization struggles to stop the spread and clear the crypto-ransomware and to restore business-critical activity. Since crypto-ransomware requires time to spread, penetrations are usually sprung during weekends and nights, when penetrations typically take more time to uncover. This compounds the difficulty of quickly assembling and coordinating an experienced response team.

Progent has a range of support services for securing organizations from ransomware penetrations. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with machine learning technology to intelligently detect and extinguish day-zero cyber threats. Progent in addition can provide the services of veteran crypto-ransomware recovery consultants with the skills and commitment to restore a breached environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed keys to decipher all your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the critical components of your IT environment. Absent access to complete information backups, this calls for a broad range of skills, professional project management, and the ability to work 24x7 until the recovery project is finished.

For decades, Progent has offered certified expert Information Technology services for companies in St. Louis and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience provides Progent the capability to efficiently identify necessary systems and integrate the remaining components of your IT system after a ransomware attack and rebuild them into a functioning network.

Progent's security team utilizes top notch project management applications to coordinate the complicated restoration process. Progent knows the urgency of acting swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to get key applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Recovery
A business contacted Progent after their network was crashed by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly adopting approaches leaked from Americaís NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is one of the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200,000) and hoping for the best, but ultimately engaged Progent.


"I cannot thank you enough about the care Progent gave us throughout the most stressful period of (our) companyís life. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent group afforded us. That you were able to get our e-mail system and essential servers back online quicker than a week was earth shattering. Each person I talked with or texted at Progent was urgently focused on getting us restored and was working at all hours to bail us out."

Progent worked with the customer to rapidly determine and assign priority to the essential elements that needed to be restored in order to continue business operations:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and disinfecting systems. Progent then started the steps of bringing back online Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the customerís financials and MRP system used Microsoft SQL Server, which needs Active Directory for authentication to the database.

Within two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then assisted with rebuilding and storage recovery on needed applications. All Exchange data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Folder Files) on various workstations and laptops in order to recover email information. A recent off-line backup of the client's accounting/ERP systems made them able to restore these required programs back on-line. Although significant work was left to recover fully from the Ryuk event, essential services were returned to operations rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer shipments."

Throughout the following few weeks key milestones in the recovery process were achieved in tight collaboration between Progent engineers and the client:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Server exceeding four million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were fully functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user desktops were functioning as before the incident.

"A huge amount of what occurred in the initial days is mostly a fog for me, but my team will not soon forget the countless hours each of the team put in to help get our business back. Iíve been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely business disaster was dodged with dedicated experts, a wide array of IT skills, and close teamwork. Although in hindsight the ransomware incident detailed here could have been identified and stopped with up-to-date cyber security technology solutions and NIST Cybersecurity Framework best practices, staff training, and properly executed incident response procedures for backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we got past the most critical parts. Everyone did an fabulous job, and if anyone is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in St. Louis a range of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include next-generation AI capability to uncover zero-day variants of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical in-depth protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through cutting-edge tools packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you prove compliance with government and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also help your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates your backup processes and allows rapid restoration of critical data, apps and VMs that have become lost or corrupted due to component failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide world-class support to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security vendors to deliver centralized management and world-class security for all your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further level of analysis for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always current, copies and manages the configuration of almost all devices on your network, monitors performance, and sends notices when problems are detected. By automating time-consuming management activities, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, locating devices that need critical software patches, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so that all looming problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By cleaning up and managing your network documentation, you can save up to 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 St. Louis Ransomware Repair Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.