Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an existential danger for organizations poorly prepared for an attack. Versions of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, as well as frequent unnamed malware, not only do encryption of on-line data but also infect most accessible system restores and backups. Data synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can render automated restore operations useless and basically knocks the datacenter back to zero.

Restoring programs and information after a crypto-ransomware intrusion becomes a sprint against the clock as the victim tries its best to contain and cleanup the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware needs time to move laterally, penetrations are usually launched during nights and weekends, when attacks typically take longer to detect. This multiplies the difficulty of quickly marshalling and orchestrating an experienced response team.

Progent provides a variety of help services for protecting enterprises from crypto-ransomware attacks. Among these are team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with AI capabilities to rapidly detect and suppress zero-day cyber attacks. Progent also offers the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed keys to unencrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the mission-critical parts of your IT environment. Absent access to complete system backups, this calls for a wide range of skill sets, top notch project management, and the capability to work continuously until the task is completed.

For two decades, Progent has provided certified expert Information Technology services for companies in Waltham and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly identify important systems and integrate the surviving pieces of your Information Technology system after a crypto-ransomware event and rebuild them into an operational system.

Progent's ransomware team uses state-of-the-art project management applications to orchestrate the complex recovery process. Progent appreciates the urgency of acting swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put the most important services back on line as fast as possible.

Case Study: A Successful Ransomware Virus Response
A business hired Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state criminal gangs, suspected of using technology leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited tolerance for operational disruption and is among the most profitable incarnations of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago and has around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the attack and were encrypted. The client considered paying the ransom demand (more than $200K) and praying for the best, but in the end utilized Progent.


"I canít say enough about the support Progent gave us during the most critical time of (our) companyís survival. We most likely would have paid the Hackers except for the confidence the Progent experts gave us. The fact that you could get our messaging and important servers back on-line sooner than five days was beyond my wildest dreams. Every single staff member I interacted with or texted at Progent was hell bent on getting us restored and was working day and night to bail us out."

Progent worked together with the client to rapidly identify and prioritize the mission critical systems that had to be addressed in order to restart departmental functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware event response best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the steps of recovering Microsoft AD, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's financials and MRP software utilized Microsoft SQL, which requires Windows AD for access to the information.

In less than two days, Progent was able to recover Active Directory to its pre-virus state. Progent then completed setup and storage recovery of mission critical applications. All Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find local OST data files (Outlook Off-Line Folder Files) on team PCs and laptops to recover email messages. A not too old offline backup of the businesses financials/MRP systems made them able to restore these essential applications back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, core systems were recovered quickly:


"For the most part, the manufacturing operation never missed a beat and we delivered all customer deliverables."

During the next couple of weeks critical milestones in the recovery process were achieved in close collaboration between Progent team members and the client:

  • In-house web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding 4 million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100% operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the user desktops and notebooks were being used by staff.

"A lot of what occurred that first week is nearly entirely a haze for me, but my team will not soon forget the urgency each and every one of you put in to give us our company back. Iíve utilized Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."

Conclusion
A likely business-ending disaster was averted through the efforts of top-tier experts, a broad spectrum of IT skills, and close collaboration. Although upon completion of forensics the ransomware virus incident described here would have been prevented with up-to-date cyber security technology and ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thanks very much for allowing me to get rested after we made it through the most critical parts. All of you did an incredible effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Waltham a portfolio of online monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to detect new strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-matching AV products. ProSight ASM protects on-premises and cloud resources and provides a single platform to manage the entire threat lifecycle including protection, detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry data security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical data, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can assist you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to provide centralized control and comprehensive security for all your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your exposure to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a deeper level of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are always current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding appliances that need critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that any potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Waltham Crypto-Ransomware Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.