Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that represents an extinction-level danger for organizations poorly prepared for an attack. Different versions of crypto-ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict havoc. More recent versions of crypto-ransomware such as Ryuk and Hermes, plus frequent as yet unnamed viruses, not only encrypt on-line information but also infect any available system protection. Information synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, this can render automated restoration impossible and effectively sets the entire system back to square one.

Retrieving applications and information following a ransomware attack becomes a sprint against the clock as the victim struggles to stop lateral movement and cleanup the ransomware and to resume mission-critical activity. Since ransomware takes time to spread, attacks are frequently launched during weekends and nights, when penetrations typically take longer to discover. This compounds the difficulty of quickly assembling and organizing a capable mitigation team.

Progent has a variety of solutions for protecting organizations from ransomware attacks. Among these are team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence technology to rapidly identify and disable zero-day cyber threats. Progent also provides the assistance of expert ransomware recovery consultants with the skills and perseverance to reconstruct a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
After a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the codes to decrypt any or all of your files. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to re-install the vital components of your Information Technology environment. Absent the availability of essential system backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work non-stop until the job is completed.

For twenty years, Progent has provided professional Information Technology services for businesses in Hialeah and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the skills to knowledgably ascertain necessary systems and re-organize the surviving parts of your Information Technology system after a ransomware penetration and rebuild them into an operational system.

Progent's recovery group deploys top notch project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in unison with a customerís management and IT resources to assign priority to tasks and to put essential systems back on-line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A business engaged Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, suspected of using technology leaked from Americaís National Security Agency. Ryuk attacks specific companies with limited ability to sustain disruption and is among the most lucrative instances of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk attack had shut down all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200,000) and praying for good luck, but ultimately utilized Progent.


"I canít say enough about the help Progent gave us throughout the most critical time of (our) companyís life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent experts provided us. That you could get our e-mail and production servers back in less than a week was incredible. Each expert I talked with or communicated with at Progent was amazingly focused on getting us back on-line and was working breakneck pace on our behalf."

Progent worked together with the client to quickly get our arms around and prioritize the key applications that needed to be addressed to make it possible to restart departmental functions:

  • Active Directory
  • Electronic Messaging
  • MRP System
To start, Progent adhered to Anti-virus penetration response best practices by isolating and disinfecting systems. Progent then began the task of recovering Windows Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the customerís accounting and MRP system used Microsoft SQL Server, which needs Windows AD for security authorization to the database.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then completed setup and storage recovery of the most important applications. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on team PCs to recover email messages. A not too old offline backup of the customerís financials/MRP systems made them able to recover these vital programs back on-line. Although significant work remained to recover totally from the Ryuk virus, critical systems were returned to operations rapidly:


"For the most part, the production operation was never shut down and we produced all customer deliverables."

During the next few weeks critical milestones in the recovery project were made through close cooperation between Progent team members and the client:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than four million archived emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user PCs were functioning as before the incident.

"A huge amount of what went on in the early hours is nearly entirely a haze for me, but our team will not soon forget the urgency each of the team put in to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This event was no exception but maybe more Herculean."

Conclusion
A probable business disaster was dodged with dedicated professionals, a broad range of knowledge, and close collaboration. Although in hindsight the ransomware penetration detailed here should have been blocked with advanced cyber security technology solutions and best practices, team training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for letting me get some sleep after we made it through the most critical parts. Everyone did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Hialeah a portfolio of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include modern machine learning technology to uncover new strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the entire malware attack progression including blocking, detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with government and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent's consultants can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates your backup activities and allows fast restoration of vital data, applications and virtual machines that have become unavailable or damaged due to hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can provide world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to provide web-based control and world-class protection for all your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with an on-premises security gateway device to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding devices that need important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT staff and your Progent engineering consultant so all looming problems can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Hialeah 24x7 Crypto Repair Consulting, contact Progent at 800-993-9400 or go to Contact Progent.