Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that presents an enterprise-level danger for businesses poorly prepared for an attack. Different versions of ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause damage. The latest versions of ransomware like Ryuk and Hermes, along with frequent as yet unnamed newcomers, not only do encryption of online data but also infect many available system protection mechanisms. Information synchronized to cloud environments can also be ransomed. In a poorly architected system, this can make automated restore operations hopeless and basically knocks the entire system back to zero.

Recovering services and information after a ransomware event becomes a race against time as the targeted business struggles to contain and cleanup the crypto-ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to spread, assaults are usually launched on weekends, when attacks typically take more time to identify. This compounds the difficulty of rapidly marshalling and coordinating a qualified response team.

Progent makes available a variety of support services for securing enterprises from ransomware events. These include user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with artificial intelligence technology to automatically discover and disable new threats. Progent also provides the assistance of expert ransomware recovery professionals with the track record and commitment to restore a compromised system as soon as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to unencrypt all your information. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the critical components of your IT environment. Without access to complete data backups, this calls for a wide complement of skills, top notch team management, and the willingness to work 24x7 until the task is completed.

For decades, Progent has made available certified expert Information Technology services for companies in Austin and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the skills to rapidly identify important systems and integrate the remaining components of your Information Technology system after a crypto-ransomware event and configure them into an operational system.

Progent's security group utilizes top notch project management tools to orchestrate the complicated recovery process. Progent knows the urgency of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to get essential services back on-line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Virus Recovery
A customer escalated to Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, possibly using algorithms exposed from Americaís National Security Agency. Ryuk seeks specific organizations with little ability to sustain disruption and is among the most lucrative iterations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area with about 500 staff members. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the attack and were encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and praying for good luck, but in the end utilized Progent.


"I canít say enough about the help Progent provided us throughout the most stressful time of (our) businesses life. We may have had to pay the cyber criminals if not for the confidence the Progent group afforded us. The fact that you were able to get our messaging and production applications back online in less than five days was beyond my wildest dreams. Each expert I got help from or communicated with at Progent was absolutely committed on getting us back online and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly assess and assign priority to the critical areas that had to be restored to make it possible to continue departmental operations:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to Anti-virus event mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the work of bringing back online Microsoft AD, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the customerís MRP system used SQL Server, which requires Active Directory services for authentication to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and storage recovery on the most important servers. All Microsoft Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Email Offline Data Files) on various PCs and laptops in order to recover email data. A not too old off-line backup of the customerís financials/MRP software made them able to return these required services back on-line. Although significant work still had to be done to recover totally from the Ryuk virus, critical systems were recovered quickly:


"For the most part, the manufacturing operation was never shut down and we delivered all customer shipments."

Throughout the following month critical milestones in the restoration process were achieved in close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user desktops were being used by staff.

"A huge amount of what transpired during the initial response is nearly entirely a fog for me, but my team will not soon forget the dedication each of you accomplished to help get our company back. Iíve been working together with Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was the most impressive ever."

Conclusion
A possible enterprise-killing catastrophe was dodged with top-tier professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in post mortem the ransomware incident described here should have been disabled with up-to-date cyber security technology solutions and best practices, user training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we made it through the initial fire. Everyone did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Austin a variety of remote monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation machine learning capability to uncover zero-day strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-based anti-virus products. ProSight ASM protects local and cloud resources and offers a unified platform to automate the complete threat lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also assist you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of vital files, applications and virtual machines that have become unavailable or damaged as a result of hardware failures, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide centralized management and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a first line of defense and blocks most threats from making it to your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their networking hardware like switches, firewalls, and access points plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by checking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your Progent engineering consultant so that all looming problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24/7/365 Austin Ransomware Recovery Experts, call Progent at 800-993-9400 or go to Contact Progent.