Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that represents an existential danger for businesses vulnerable to an attack. Multiple generations of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict destruction. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with more as yet unnamed malware, not only do encryption of online data files but also infiltrate most configured system restores and backups. Data replicated to the cloud can also be encrypted. In a vulnerable environment, it can make automated restore operations impossible and effectively sets the entire system back to square one.

Recovering programs and data after a ransomware attack becomes a race against the clock as the victim tries its best to stop lateral movement and eradicate the ransomware and to resume business-critical activity. Because ransomware needs time to move laterally, assaults are usually launched on weekends, when successful penetrations tend to take more time to identify. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.

Progent makes available a range of solutions for securing enterprises from ransomware penetrations. Among these are team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI capabilities to automatically identify and disable zero-day threats. Progent in addition offers the assistance of veteran ransomware recovery consultants with the track record and commitment to restore a compromised environment as urgently as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the codes to decipher any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the essential parts of your IT environment. Without the availability of essential information backups, this calls for a broad complement of skill sets, well-coordinated team management, and the willingness to work 24x7 until the job is completed.

For twenty years, Progent has offered professional Information Technology services for businesses in Dallas and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience affords Progent the capability to knowledgably determine necessary systems and re-organize the surviving components of your network system following a crypto-ransomware event and assemble them into a functioning network.

Progent's recovery team deploys top notch project management systems to coordinate the complex restoration process. Progent knows the urgency of working quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put key systems back on-line as soon as humanly possible.

Client Story: A Successful Ransomware Virus Restoration
A small business contacted Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored cybercriminals, suspected of adopting techniques exposed from the United States NSA organization. Ryuk attacks specific companies with limited room for disruption and is one of the most profitable instances of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with around 500 employees. The Ryuk attack had shut down all business operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but in the end engaged Progent.


"I canít thank you enough in regards to the help Progent gave us throughout the most stressful period of (our) companyís survival. We would have paid the Hackers if it wasnít for the confidence the Progent team gave us. That you could get our messaging and production servers back into operation faster than seven days was something I thought impossible. Every single consultant I interacted with or messaged at Progent was laser focused on getting us back on-line and was working 24/7 to bail us out."

Progent worked together with the client to quickly determine and prioritize the mission critical applications that needed to be restored to make it possible to continue company functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the work of recovering Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís accounting and MRP applications used SQL Server, which requires Active Directory services for security authorization to the information.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then initiated reinstallations and storage recovery of needed applications. All Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Folder Files) on team PCs and laptops in order to recover email messages. A recent offline backup of the customerís accounting/MRP software made it possible to restore these essential applications back servicing users. Although a lot of work needed to be completed to recover completely from the Ryuk damage, core services were recovered quickly:


"For the most part, the production line operation did not miss a beat and we did not miss any customer sales."

Throughout the following month critical milestones in the restoration project were accomplished through close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were fully operational.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the desktop computers were being used by staff.

"So much of what happened in the initial days is nearly entirely a haze for me, but my management will not soon forget the urgency each of your team put in to give us our company back. Iíve been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This situation was the most impressive ever."

Conclusion
A potential business extinction catastrophe was dodged by hard-working professionals, a wide range of subject matter expertise, and close teamwork. Although upon completion of forensics the crypto-ransomware virus penetration described here could have been identified and blocked with current cyber security systems and best practices, staff education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get some sleep after we got through the initial fire. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Dallas a variety of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to uncover new strains of crypto-ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to manage the complete threat lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's unique requirements and that helps you prove compliance with government and industry information protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid recovery of vital data, apps and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can provide advanced support to set up ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to provide web-based management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a first line of defense and blocks most threats from reaching your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, track, reconfigure and debug their connectivity appliances like routers and switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, locating appliances that require important updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT personnel and your Progent engineering consultant so all looming issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Dallas 24x7 Crypto Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.