Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Recovery ExpertsRansomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes unprepared for an assault. Versions of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as daily as yet unnamed malware, not only encrypt online data files but also infiltrate all accessible system protection mechanisms. Information replicated to the cloud can also be corrupted. In a poorly architected system, this can render automated restoration hopeless and basically knocks the datacenter back to square one.

Getting back online services and information after a crypto-ransomware intrusion becomes a race against time as the victim tries its best to contain the damage and remove the ransomware and to restore business-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are frequently launched during nights and weekends, when successful penetrations tend to take more time to discover. This compounds the difficulty of promptly marshalling and orchestrating a capable response team.

Progent has a range of solutions for securing organizations from ransomware attacks. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security solutions with machine learning capabilities to quickly identify and extinguish day-zero cyber threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the track record and perseverance to restore a breached system as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the needed keys to unencrypt all your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the essential parts of your IT environment. Without the availability of full data backups, this calls for a broad range of skill sets, well-coordinated project management, and the ability to work continuously until the job is complete.

For two decades, Progent has made available expert IT services for businesses in Fort Worth and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the capability to rapidly identify important systems and consolidate the remaining pieces of your computer network environment after a ransomware event and assemble them into an operational system.

Progent's security team utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of acting quickly and in unison with a client's management and IT staff to prioritize tasks and to get the most important systems back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Virus Response
A client contacted Progent after their company was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored criminal gangs, suspected of using strategies exposed from the United States NSA organization. Ryuk attacks specific companies with limited room for disruption and is among the most lucrative instances of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago with around 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (more than $200K) and hoping for good luck, but ultimately engaged Progent.


"I cannot speak enough in regards to the expertise Progent gave us throughout the most stressful period of (our) businesses existence. We may have had to pay the Hackers if it wasnít for the confidence the Progent group gave us. The fact that you could get our messaging and key servers back sooner than 1 week was something I thought impossible. Every single person I interacted with or texted at Progent was hell bent on getting our company operational and was working at all hours on our behalf."

Progent worked together with the client to quickly identify and prioritize the critical areas that had to be recovered to make it possible to resume company operations:

  • Active Directory
  • Electronic Mail
  • Accounting/MRP
To get going, Progent followed ransomware incident response best practices by halting lateral movement and disinfecting systems. Progent then initiated the task of recovering Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not function without Windows AD, and the businessesí financials and MRP software leveraged Microsoft SQL Server, which depends on Windows AD for access to the information.

In less than 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery on key applications. All Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on user workstations to recover email information. A recent offline backup of the businesses accounting/MRP systems made it possible to restore these vital services back online for users. Although significant work needed to be completed to recover fully from the Ryuk event, the most important services were restored quickly:


"For the most part, the production line operation was never shut down and we did not miss any customer orders."

Over the following month critical milestones in the recovery process were made in close cooperation between Progent team members and the customer:

  • Self-hosted web sites were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% restored.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the desktops and laptops were back into operation.

"A lot of what was accomplished that first week is mostly a fog for me, but my management will not forget the care all of the team accomplished to give us our company back. Iíve been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered. This situation was a stunning achievement."

Conclusion
A probable business catastrophe was dodged through the efforts of hard-working professionals, a broad spectrum of technical expertise, and tight teamwork. Although in post mortem the crypto-ransomware attack detailed here would have been shut down with modern cyber security technology solutions and security best practices, user training, and well thought out security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thanks very much for allowing me to get some sleep after we got through the first week. Everyone did an impressive effort, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Fort Worth a range of remote monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include next-generation AI technology to uncover new strains of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and offers a unified platform to manage the entire threat lifecycle including protection, identification, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of critical files, apps and VMs that have become lost or corrupted due to component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR specialists can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to provide web-based control and comprehensive protection for your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of analysis for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating devices that require important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent consultant so that all potential issues can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24/7 Fort Worth Crypto-Ransomware Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.