Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that poses an extinction-level threat for businesses vulnerable to an attack. Different iterations of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict destruction. Newer strains of ransomware like Ryuk and Hermes, along with additional unnamed viruses, not only encrypt on-line data files but also infect all configured system backup. Information synched to the cloud can also be corrupted. In a vulnerable environment, it can render automatic recovery useless and basically knocks the datacenter back to zero.

Getting back on-line programs and information following a ransomware outage becomes a race against the clock as the targeted business fights to stop the spread and cleanup the virus and to resume business-critical operations. Because crypto-ransomware requires time to replicate, assaults are frequently launched on weekends, when penetrations tend to take longer to discover. This compounds the difficulty of rapidly assembling and orchestrating a capable response team.

Progent has an assortment of services for securing organizations from crypto-ransomware attacks. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning technology to rapidly discover and disable new cyber attacks. Progent also offers the services of seasoned ransomware recovery engineers with the skills and perseverance to re-deploy a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the codes to unencrypt all your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the vital elements of your Information Technology environment. Without the availability of complete system backups, this requires a wide complement of skills, top notch team management, and the ability to work continuously until the task is done.

For twenty years, Progent has made available certified expert Information Technology services for companies in Fort Worth and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience gives Progent the ability to quickly understand important systems and organize the remaining components of your IT system following a crypto-ransomware event and configure them into a functioning system.

Progent's security team utilizes powerful project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and in concert with a client's management and IT resources to assign priority to tasks and to put the most important applications back on-line as soon as possible.

Client Story: A Successful Ransomware Incident Restoration
A business contacted Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no room for operational disruption and is among the most profitable incarnations of crypto-ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago and has around 500 workers. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's system backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for good luck, but ultimately reached out to Progent.


"I cannot thank you enough in regards to the expertise Progent gave us during the most stressful period of (our) companyís life. We may have had to pay the criminal gangs if not for the confidence the Progent group provided us. That you could get our messaging and key applications back online faster than one week was amazing. Every single staff member I talked with or e-mailed at Progent was urgently focused on getting us operational and was working all day and night on our behalf."

Progent worked with the customer to quickly assess and prioritize the mission critical systems that had to be restored in order to restart company operations:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes event response industry best practices by halting the spread and clearing infected systems. Progent then started the process of restoring Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the customerís financials and MRP software used Microsoft SQL Server, which depends on Active Directory services for security authorization to the information.

In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery on needed servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Outlook Offline Data Files) on user workstations to recover email data. A not too old off-line backup of the client's accounting/MRP software made them able to restore these vital services back on-line. Although a large amount of work was left to recover completely from the Ryuk event, essential services were restored rapidly:


"For the most part, the production line operation survived unscathed and we did not miss any customer orders."

During the next few weeks critical milestones in the restoration project were accomplished in tight cooperation between Progent team members and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were fully restored.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the desktops and laptops were back into operation.

"A lot of what transpired in the early hours is mostly a haze for me, but we will not soon forget the urgency each of your team accomplished to give us our company back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has come through and delivered. This time was no exception but maybe more Herculean."

Conclusion
A likely business-ending catastrophe was dodged by hard-working experts, a wide array of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware attack detailed here could have been identified and blocked with up-to-date security technology and NIST Cybersecurity Framework best practices, staff training, and properly executed incident response procedures for information backup and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get some sleep after we made it over the first week. All of you did an incredible job, and if anyone that helped is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Fort Worth a portfolio of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the complete threat progression including protection, detection, containment, cleanup, and forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent action. Progent can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates your backup activities and enables rapid restoration of critical files, applications and virtual machines that have become lost or damaged due to component failures, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced expertise to set up ProSight DPS to to comply with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to provide centralized control and comprehensive protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further level of inspection for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to diagram, monitor, enhance and debug their networking hardware like switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, locating devices that need important software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your IT system operating at peak levels by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management staff and your assigned Progent consultant so that any looming issues can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Fort Worth Crypto Removal Consultants, call Progent at 800-993-9400 or go to Contact Progent.