Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict damage. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with daily unnamed viruses, not only do encryption of on-line data files but also infect most configured system backups. Information synchronized to the cloud can also be corrupted. In a poorly architected environment, it can render automated recovery hopeless and effectively sets the entire system back to square one.

Retrieving programs and data following a ransomware outage becomes a sprint against time as the targeted business tries its best to contain and cleanup the crypto-ransomware and to restore mission-critical activity. Since ransomware requires time to spread, penetrations are frequently sprung on weekends and holidays, when penetrations may take longer to discover. This compounds the difficulty of promptly marshalling and organizing an experienced mitigation team.

Progent has a variety of solutions for securing organizations from crypto-ransomware attacks. These include team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with machine learning technology to rapidly discover and extinguish zero-day cyber attacks. Progent also offers the services of veteran ransomware recovery engineers with the talent and commitment to rebuild a breached network as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the keys to decipher all your data. Kaspersky determined that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the mission-critical parts of your Information Technology environment. Without access to complete data backups, this requires a broad range of IT skills, well-coordinated project management, and the willingness to work continuously until the recovery project is finished.

For decades, Progent has offered professional Information Technology services for businesses in Baton Rouge and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience affords Progent the capability to rapidly identify critical systems and integrate the surviving parts of your IT system after a ransomware event and assemble them into an operational system.

Progent's ransomware group deploys state-of-the-art project management tools to orchestrate the complex restoration process. Progent understands the importance of acting rapidly and in unison with a customerís management and IT resources to prioritize tasks and to get critical systems back on-line as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business hired Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored cybercriminals, possibly adopting algorithms leaked from Americaís NSA organization. Ryuk attacks specific businesses with limited room for operational disruption and is among the most profitable examples of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area with around 500 staff members. The Ryuk attack had disabled all company operations and manufacturing processes. The majority of the client's data backups had been online at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for the best, but in the end engaged Progent.


"I cannot say enough about the help Progent provided us throughout the most stressful time of (our) businesses survival. We would have paid the cyber criminals if not for the confidence the Progent group gave us. The fact that you were able to get our messaging and essential applications back sooner than a week was earth shattering. Each expert I interacted with or communicated with at Progent was absolutely committed on getting our system up and was working 24/7 on our behalf."

Progent worked together with the client to quickly identify and assign priority to the mission critical systems that needed to be addressed to make it possible to resume business functions:

  • Active Directory (AD)
  • Exchange Server
  • Accounting/MRP
To start, Progent followed AV/Malware Processes incident response industry best practices by isolating and clearing infected systems. Progent then started the process of recovering Microsoft AD, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without AD, and the customerís financials and MRP system used Microsoft SQL Server, which requires Windows AD for authentication to the database.

Within two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery on critical applications. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate local OST files (Outlook Off-Line Folder Files) on staff PCs in order to recover mail information. A not too old off-line backup of the businesses accounting/ERP software made them able to return these essential applications back online for users. Although a lot of work still had to be done to recover completely from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer sales."

During the following couple of weeks critical milestones in the recovery process were completed through tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory functions were completely operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the user desktops and notebooks were operational.

"Much of what happened in the initial days is mostly a haze for me, but I will not soon forget the countless hours each of you put in to give us our company back. Iíve trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a stunning achievement."

Conclusion
A likely enterprise-killing disaster was evaded due to hard-working experts, a broad range of subject matter expertise, and tight teamwork. Although in retrospect the crypto-ransomware virus attack detailed here should have been blocked with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate security procedures for information backup and proper patching controls, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has a proven track record in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for allowing me to get rested after we got over the initial push. All of you did an fabulous job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Baton Rouge a range of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include next-generation artificial intelligence technology to uncover zero-day variants of crypto-ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to manage the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP environment that addresses your company's unique needs and that allows you prove compliance with legal and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates your backup activities and enables fast restoration of critical files, applications and virtual machines that have become lost or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight DPS to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading data security vendors to provide centralized control and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, reconfigure and debug their connectivity hardware like routers, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, locating devices that require critical updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management staff and your Progent engineering consultant so any looming issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save up to 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 Baton Rouge Crypto Remediation Services, call Progent at 800-993-9400 or go to Contact Progent.