Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that represents an existential threat for organizations poorly prepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and still inflict damage. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with frequent unnamed malware, not only do encryption of online data files but also infiltrate any accessible system protection mechanisms. Information synched to the cloud can also be rendered useless. In a poorly designed environment, this can make automated restore operations useless and effectively knocks the datacenter back to square one.

Getting back services and information after a ransomware outage becomes a sprint against the clock as the targeted business tries its best to contain and cleanup the virus and to resume business-critical activity. Due to the fact that ransomware takes time to replicate, penetrations are often sprung during weekends and nights, when penetrations in many cases take longer to uncover. This multiplies the difficulty of promptly mobilizing and organizing a knowledgeable mitigation team.

Progent makes available an assortment of services for securing organizations from crypto-ransomware attacks. These include team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security appliances with artificial intelligence capabilities to quickly discover and suppress new cyber threats. Progent also offers the assistance of veteran crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a breached environment as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not ensure that cyber hackers will respond with the codes to decipher any or all of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the vital parts of your Information Technology environment. Absent the availability of essential data backups, this requires a broad range of skill sets, well-coordinated project management, and the capability to work non-stop until the job is complete.

For two decades, Progent has provided professional IT services for companies in Eugene and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience affords Progent the ability to quickly understand critical systems and consolidate the remaining pieces of your computer network system following a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team deploys powerful project management applications to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and together with a client's management and IT resources to assign priority to tasks and to put the most important services back on line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A client sought out Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored criminal gangs, possibly using approaches leaked from the United States National Security Agency. Ryuk goes after specific businesses with limited room for operational disruption and is one of the most profitable incarnations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in the Chicago metro area and has about 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's backups had been on-line at the start of the attack and were encrypted. The client considered paying the ransom (more than $200K) and hoping for good luck, but in the end engaged Progent.


"I cannot thank you enough in regards to the help Progent provided us during the most fearful period of (our) companyís life. We had little choice but to pay the cyber criminals except for the confidence the Progent team gave us. That you were able to get our e-mail system and key applications back online in less than a week was amazing. Every single expert I spoke to or texted at Progent was totally committed on getting us back online and was working non-stop on our behalf."

Progent worked together with the customer to quickly understand and prioritize the most important applications that needed to be restored in order to restart departmental operations:

  • Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes event response best practices by stopping lateral movement and clearing infected systems. Progent then began the task of recovering Windows Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not function without Active Directory, and the customerís MRP applications leveraged Microsoft SQL Server, which requires Active Directory for authentication to the data.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with setup and storage recovery on mission critical systems. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Off-Line Data Files) on staff workstations and laptops to recover email data. A not too old off-line backup of the businesses financials/MRP systems made it possible to return these required applications back on-line. Although a lot of work was left to recover totally from the Ryuk event, essential services were restored rapidly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer shipments."

Over the following couple of weeks critical milestones in the restoration process were made in tight cooperation between Progent consultants and the customer:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Server containing more than 4 million archived messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100 percent restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Most of the user desktops were back into operation.

"A lot of what happened those first few days is nearly entirely a haze for me, but we will not forget the care all of your team put in to give us our company back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A probable enterprise-killing catastrophe was evaded due to results-oriented experts, a wide spectrum of subject matter expertise, and close teamwork. Although in post mortem the ransomware incident described here should have been identified and blocked with advanced security technology solutions and best practices, user training, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has proven experience in ransomware virus blocking, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get some sleep after we made it over the initial fire. Everyone did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Eugene a variety of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services include modern artificial intelligence technology to uncover zero-day variants of crypto-ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely escape traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to address the entire threat progression including protection, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist your company to set up and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates your backup processes and enables fast restoration of critical data, apps and VMs that have become unavailable or damaged as a result of component failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical data. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver web-based management and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with a local gateway device to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, optimize and troubleshoot their networking hardware such as routers, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding appliances that require critical software patches, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so any looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 Eugene Crypto Remediation Experts, contact Progent at 800-993-9400 or go to Contact Progent.