Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for organizations poorly prepared for an assault. Versions of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for years and still inflict damage. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent as yet unnamed newcomers, not only encrypt on-line data but also infiltrate most accessible system backups. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can render automatic recovery hopeless and basically sets the datacenter back to zero.

Restoring applications and information after a ransomware intrusion becomes a sprint against the clock as the targeted business struggles to contain the damage and cleanup the crypto-ransomware and to resume enterprise-critical activity. Because ransomware requires time to replicate, penetrations are usually launched on weekends, when attacks may take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating a qualified response team.

Progent offers a range of help services for protecting businesses from crypto-ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with AI technology to quickly discover and suppress zero-day cyber threats. Progent also offers the services of experienced ransomware recovery professionals with the track record and commitment to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Recovery Services
Following a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to decipher all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the vital elements of your Information Technology environment. Absent the availability of full information backups, this requires a wide complement of skill sets, well-coordinated project management, and the capability to work non-stop until the job is over.

For two decades, Progent has made available professional IT services for businesses in Eugene and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably determine critical systems and organize the remaining components of your IT system after a crypto-ransomware attack and configure them into a functioning system.

Progent's security team of experts uses top notch project management tools to orchestrate the sophisticated restoration process. Progent understands the urgency of working rapidly and in concert with a customerís management and Information Technology team members to prioritize tasks and to put critical services back on-line as fast as possible.

Client Case Study: A Successful Ransomware Incident Response
A customer escalated to Progent after their company was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean state criminal gangs, possibly using techniques leaked from the United States NSA organization. Ryuk seeks specific companies with limited ability to sustain operational disruption and is among the most profitable instances of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago with around 500 workers. The Ryuk attack had brought down all business operations and manufacturing processes. Most of the client's data backups had been online at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and praying for good luck, but in the end brought in Progent.


"I canít say enough in regards to the expertise Progent gave us during the most fearful time of (our) companyís life. We had little choice but to pay the cyber criminals if not for the confidence the Progent group provided us. The fact that you could get our e-mail and production servers back into operation faster than one week was something I thought impossible. Every single person I worked with or messaged at Progent was hell bent on getting us back online and was working 24 by 7 on our behalf."

Progent worked together with the customer to rapidly identify and prioritize the mission critical services that had to be addressed in order to restart business operations:

  • Active Directory (AD)
  • Electronic Messaging
  • MRP System
To start, Progent followed ransomware event mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the steps of recovering Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the client's MRP system used SQL Server, which depends on Windows AD for access to the data.

Within two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then completed setup and hard drive recovery on the most important servers. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect local OST data files (Outlook Off-Line Data Files) on various desktop computers to recover email data. A not too old off-line backup of the customerís manufacturing software made it possible to restore these essential services back available to users. Although a lot of work still had to be done to recover completely from the Ryuk attack, the most important services were recovered quickly:


"For the most part, the production operation did not miss a beat and we delivered all customer sales."

Throughout the next couple of weeks key milestones in the restoration project were completed through close collaboration between Progent team members and the client:

  • Internal web applications were restored without losing any information.
  • The MailStore Exchange Server exceeding 4 million historical emails was brought online and available for users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 firewall was brought on-line.
  • Nearly all of the user PCs were being used by staff.

"A lot of what went on in the early hours is mostly a haze for me, but my team will not forget the care each of you put in to give us our company back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has shined and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable business-killing catastrophe was avoided with hard-working experts, a wide range of knowledge, and close collaboration. Although in hindsight the ransomware incident described here could have been identified and disabled with current cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thanks very much for letting me get some sleep after we made it through the first week. All of you did an impressive job, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Eugene a variety of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include next-generation AI technology to detect new strains of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to address the entire threat progression including blocking, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent managed from a single console. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your company's unique needs and that allows you demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services, a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and allow non-disruptive backup and fast recovery of vital files/folders, applications, images, plus virtual machines. ProSight DPS helps your business protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to provide centralized control and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, track, reconfigure and debug their connectivity appliances like switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, finding appliances that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system running efficiently by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that any looming issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7x365 Eugene Crypto-Ransomware Removal Services, call Progent at 800-462-8800 or go to Contact Progent.