Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict damage. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as additional as yet unnamed newcomers, not only encrypt on-line files but also infiltrate most available system backups. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can make automated recovery hopeless and basically knocks the network back to zero.

Getting back services and information after a ransomware intrusion becomes a race against the clock as the victim struggles to stop the spread and eradicate the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware requires time to replicate, assaults are usually launched on weekends, when successful attacks may take longer to recognize. This compounds the difficulty of promptly assembling and organizing an experienced mitigation team.

Progent offers a variety of solutions for securing organizations from ransomware events. These include user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security gateways with artificial intelligence capabilities to quickly discover and extinguish day-zero cyber attacks. Progent in addition offers the services of veteran crypto-ransomware recovery engineers with the talent and commitment to rebuild a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
Following a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to decipher all your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the vital parts of your Information Technology environment. Absent the availability of complete data backups, this requires a broad complement of IT skills, well-coordinated project management, and the capability to work non-stop until the task is complete.

For twenty years, Progent has provided expert IT services for businesses in Austin and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience gives Progent the skills to quickly identify important systems and re-organize the surviving parts of your Information Technology environment following a ransomware event and rebuild them into a functioning system.

Progent's security team deploys top notch project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of working rapidly and in unison with a client's management and IT resources to assign priority to tasks and to put the most important applications back on-line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their company was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, suspected of adopting algorithms leaked from Americaís NSA organization. Ryuk attacks specific companies with limited tolerance for disruption and is one of the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in Chicago and has around 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but in the end brought in Progent.


"I canít thank you enough about the care Progent provided us throughout the most stressful time of (our) businesses survival. We may have had to pay the cyber criminals except for the confidence the Progent team gave us. The fact that you could get our messaging and critical servers back online quicker than five days was amazing. Every single expert I spoke to or messaged at Progent was laser focused on getting us operational and was working all day and night to bail us out."

Progent worked with the customer to rapidly get our arms around and assign priority to the essential areas that needed to be recovered in order to continue company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To start, Progent followed Anti-virus penetration response industry best practices by stopping the spread and disinfecting systems. Progent then initiated the process of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the customerís MRP software used SQL Server, which requires Active Directory for security authorization to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then completed setup and storage recovery of needed applications. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Offline Data Files) on user desktop computers and laptops in order to recover email data. A recent off-line backup of the businesses financials/MRP software made it possible to recover these required services back online. Although significant work remained to recover fully from the Ryuk attack, core systems were recovered rapidly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer shipments."

During the following month critical milestones in the recovery project were completed in tight collaboration between Progent consultants and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user PCs were back into operation.

"A huge amount of what went on that first week is nearly entirely a haze for me, but my management will not soon forget the dedication each of your team put in to give us our company back. I have utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A potential business catastrophe was dodged through the efforts of hard-working professionals, a broad spectrum of knowledge, and tight collaboration. Although in retrospect the ransomware attack described here would have been identified and blocked with up-to-date cyber security solutions and recognized best practices, team training, and appropriate incident response procedures for data backup and applying software patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get rested after we got over the initial fire. Everyone did an fabulous effort, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Austin a range of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation AI technology to uncover new strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to manage the entire malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you prove compliance with government and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and rapid recovery of vital files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed services available in the ProSight DPS product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding devices that need critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that all looming problems can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard information about your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can save up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior analysis technology to defend endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Call Desk managed services enable your IT team to offload Call Center services to Progent or divide responsibilities for Service Desk support transparently between your internal network support resources and Progent's extensive roster of certified IT support engineers and subject matter experts (SBEs). Progent's Shared Help Desk Service offers a transparent extension of your internal IT support organization. End user access to the Service Desk, delivery of support, escalation, ticket generation and updates, efficiency metrics, and management of the service database are consistent regardless of whether issues are taken care of by your corporate IT support resources, by Progent's team, or by a combination. Learn more about Progent's outsourced/shared Help Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT network. Besides maximizing the protection and functionality of your IT environment, Progent's patch management services permit your in-house IT staff to focus on more strategic initiatives and activities that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a secured application and enter your password you are requested to confirm who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be utilized as this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate several verification devices. For more information about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services.
For 24/7 Austin Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.