Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that poses an enterprise-level threat for organizations unprepared for an assault. Different iterations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. Modern strains of ransomware such as Ryuk and Hermes, plus more unnamed newcomers, not only do encryption of online data but also infiltrate any accessible system restores and backups. Files synched to the cloud can also be encrypted. In a poorly architected environment, this can make automated recovery hopeless and basically sets the entire system back to square one.

Getting back online services and data after a ransomware event becomes a sprint against time as the victim tries its best to stop the spread and eradicate the crypto-ransomware and to restore mission-critical operations. Because ransomware takes time to spread, attacks are often sprung during weekends and nights, when successful attacks may take more time to identify. This compounds the difficulty of rapidly mobilizing and organizing a capable response team.

Progent offers a variety of help services for securing organizations from ransomware attacks. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with machine learning technology to quickly identify and quarantine new cyber attacks. Progent in addition can provide the services of veteran ransomware recovery consultants with the track record and commitment to reconstruct a breached environment as rapidly as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the keys to unencrypt all your files. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the key components of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide complement of skills, top notch project management, and the ability to work 24x7 until the recovery project is complete.

For twenty years, Progent has provided professional Information Technology services for companies in Grand Rapids and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience provides Progent the ability to quickly determine critical systems and re-organize the remaining parts of your network environment following a crypto-ransomware attack and assemble them into an operational network.

Progent's recovery team has state-of-the-art project management applications to orchestrate the complicated restoration process. Progent understands the urgency of acting quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to put key services back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Response
A business hired Progent after their network system was penetrated by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, suspected of adopting approaches exposed from the United States NSA organization. Ryuk attacks specific organizations with little room for operational disruption and is one of the most profitable incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 employees. The Ryuk event had brought down all company operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end engaged Progent.


"I cannot thank you enough in regards to the help Progent provided us during the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. The fact that you were able to get our messaging and important servers back on-line faster than seven days was incredible. Each expert I got help from or messaged at Progent was totally committed on getting us operational and was working at all hours on our behalf."

Progent worked hand in hand the client to quickly get our arms around and assign priority to the critical elements that needed to be restored in order to resume business operations:

  • Microsoft Active Directory
  • E-Mail
  • MRP System
To get going, Progent followed ransomware incident mitigation industry best practices by isolating and performing virus removal steps. Progent then initiated the task of recovering Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without AD, and the customerís MRP software utilized Microsoft SQL Server, which requires Active Directory for access to the information.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery of needed systems. All Exchange schema and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST data files (Outlook Offline Folder Files) on team desktop computers to recover mail messages. A recent off-line backup of the customerís manufacturing software made them able to recover these essential services back on-line. Although significant work was left to recover completely from the Ryuk event, essential services were returned to operations rapidly:


"For the most part, the assembly line operation did not miss a beat and we made all customer sales."

Over the following couple of weeks important milestones in the restoration project were achieved through close collaboration between Progent engineers and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Exchange Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory modules were completely operational.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user desktops were fully operational.

"Much of what was accomplished those first few days is mostly a haze for me, but my team will not soon forget the urgency each and every one of the team accomplished to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."

Conclusion
A potential business-ending catastrophe was avoided due to hard-working professionals, a broad array of knowledge, and close teamwork. Although upon completion of forensics the ransomware incident described here could have been identified and prevented with modern security solutions and best practices, user education, and appropriate security procedures for backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for allowing me to get rested after we got through the first week. Everyone did an impressive effort, and if any of your team is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Grand Rapids a range of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate modern AI capability to detect new strains of crypto-ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including protection, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering through leading-edge tools incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with legal and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also assist you to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and enables fast restoration of vital data, applications and VMs that have become lost or damaged due to hardware failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, when needed, can assist you to recover your critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to provide web-based control and world-class security for your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway device to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, reconfigure and debug their connectivity hardware like routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating devices that need critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your Progent consultant so any looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour Grand Rapids Crypto Remediation Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.