Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that presents an extinction-level threat for organizations unprepared for an assault. Different iterations of ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent as yet unnamed malware, not only encrypt on-line files but also infect any configured system protection. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can make automatic restoration impossible and basically knocks the network back to zero.

Restoring applications and data after a crypto-ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop lateral movement and remove the virus and to restore enterprise-critical activity. Since ransomware requires time to replicate, attacks are frequently sprung on weekends and holidays, when successful attacks in many cases take longer to identify. This compounds the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent has an assortment of solutions for securing enterprises from crypto-ransomware attacks. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning capabilities to rapidly detect and disable zero-day cyber threats. Progent also provides the services of experienced ransomware recovery consultants with the talent and commitment to re-deploy a breached environment as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Following a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to decrypt all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the key components of your Information Technology environment. Absent the availability of complete data backups, this calls for a wide range of IT skills, top notch team management, and the capability to work 24x7 until the job is finished.

For decades, Progent has offered certified expert IT services for businesses in Brasília and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise provides Progent the skills to knowledgably understand necessary systems and re-organize the surviving components of your network system following a ransomware attack and assemble them into an operational network.

Progent's recovery team of experts utilizes top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of acting quickly and in concert with a customer’s management and IT staff to prioritize tasks and to put critical services back on line as fast as possible.

Client Story: A Successful Ransomware Penetration Restoration
A customer hired Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored hackers, suspected of using technology exposed from the United States National Security Agency. Ryuk targets specific businesses with limited tolerance for operational disruption and is one of the most profitable versions of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago with around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of $200K) and wishfully thinking for good luck, but in the end reached out to Progent.


"I cannot tell you enough about the support Progent provided us during the most critical period of (our) company’s survival. We would have paid the hackers behind this attack if it wasn’t for the confidence the Progent team afforded us. That you were able to get our e-mail and important applications back in less than seven days was beyond my wildest dreams. Each person I worked with or texted at Progent was amazingly focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked with the client to quickly understand and prioritize the most important elements that needed to be addressed to make it possible to continue company operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the task of restoring Windows Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's accounting and MRP software leveraged SQL Server, which needs Active Directory services for authentication to the data.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and hard drive recovery on needed applications. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on various desktop computers and laptops in order to recover mail data. A recent offline backup of the client's accounting/ERP systems made them able to restore these required services back on-line. Although a lot of work was left to recover completely from the Ryuk attack, essential systems were returned to operations quickly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer orders."

During the following couple of weeks important milestones in the recovery project were completed in tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server containing more than 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% operational.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the desktop computers were operational.

"A lot of what transpired those first few days is nearly entirely a fog for me, but my team will not soon forget the dedication each of the team accomplished to give us our company back. I have been working together with Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was the most impressive ever."

Conclusion
A likely enterprise-killing disaster was averted due to results-oriented experts, a broad range of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus attack described here would have been identified and stopped with advanced security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for backup and proper patching controls, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I’m grateful for allowing me to get rested after we got past the first week. All of you did an impressive job, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Brasília a range of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services utilize modern AI technology to uncover new strains of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the entire threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you prove compliance with legal and industry data protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate attention. Progent's consultants can also assist you to install and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid restoration of critical files, apps and virtual machines that have become lost or corrupted due to component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security vendors to provide centralized control and comprehensive security for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and generates alerts when issues are detected. By automating complex management activities, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding appliances that require critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent’s server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so all looming problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you’re planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Read more about ProSight IT Asset Management service.
For Brasília 24-7 Ransomware Remediation Help, call Progent at 800-993-9400 or go to Contact Progent.