Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that presents an existential threat for businesses of all sizes vulnerable to an attack. Different versions of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as additional as yet unnamed malware, not only do encryption of on-line data but also infiltrate any configured system backups. Information synchronized to cloud environments can also be ransomed. In a vulnerable environment, it can make any recovery hopeless and basically knocks the network back to square one.

Recovering applications and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain the damage and remove the ransomware and to resume mission-critical operations. Since crypto-ransomware takes time to move laterally, attacks are often sprung at night, when attacks may take more time to discover. This compounds the difficulty of quickly assembling and orchestrating a qualified mitigation team.

Progent has a variety of support services for protecting enterprises from crypto-ransomware events. Among these are user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security appliances with AI technology to automatically discover and disable day-zero threats. Progent in addition provides the assistance of seasoned ransomware recovery engineers with the talent and perseverance to reconstruct a breached network as urgently as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the needed codes to unencrypt any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the key components of your IT environment. Absent the availability of essential system backups, this calls for a wide range of IT skills, top notch team management, and the ability to work continuously until the job is over.

For decades, Progent has provided professional Information Technology services for companies in Garland and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of experience gives Progent the capability to efficiently ascertain necessary systems and consolidate the surviving pieces of your computer network system after a ransomware penetration and assemble them into an operational network.

Progent's security group uses state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent understands the importance of acting swiftly and in concert with a customerís management and IT resources to assign priority to tasks and to get essential systems back online as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Virus Recovery
A customer escalated to Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored cybercriminals, suspected of using techniques exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little or no room for disruption and is one of the most profitable incarnations of ransomware viruses. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and hoping for the best, but ultimately called Progent.


"I canít tell you enough about the care Progent provided us during the most fearful time of (our) businesses life. We may have had to pay the criminal gangs if not for the confidence the Progent team provided us. The fact that you could get our messaging and critical servers back in less than a week was incredible. Every single person I interacted with or e-mailed at Progent was absolutely committed on getting us restored and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly identify and assign priority to the most important elements that had to be addressed to make it possible to restart company functions:

  • Active Directory
  • Email
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and disinfecting systems. Progent then initiated the steps of bringing back online Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not function without AD, and the businessesí financials and MRP applications used Microsoft SQL Server, which needs Windows AD for authentication to the database.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery on needed applications. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Email Offline Folder Files) on user workstations and laptops in order to recover email information. A recent offline backup of the client's financials/MRP systems made them able to recover these required applications back on-line. Although major work was left to recover totally from the Ryuk damage, essential services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."

Over the following month critical milestones in the restoration project were accomplished through tight cooperation between Progent consultants and the client:

  • Internal web applications were restored with no loss of data.
  • The MailStore Server with over 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100% restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • 90% of the desktops and laptops were functioning as before the incident.

"A huge amount of what went on that first week is mostly a blur for me, but my team will not forget the dedication each of the team put in to give us our company back. Iíve entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A potential company-ending disaster was dodged with results-oriented professionals, a broad spectrum of knowledge, and close teamwork. Although in hindsight the ransomware virus penetration detailed here would have been disabled with advanced security technology and recognized best practices, user and IT administrator education, and well designed security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get some sleep after we got through the initial fire. All of you did an incredible effort, and if any of your team is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Garland a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the entire threat lifecycle including blocking, identification, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your organization's unique needs and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates your backup processes and allows fast recovery of critical files, applications and VMs that have become lost or damaged due to component failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can deliver advanced support to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical data. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to deliver centralized management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard combines cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a further layer of inspection for incoming email. For outbound email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, locating devices that need important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management personnel and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can save as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Garland Crypto-Ransomware Cleanup Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.