Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an enterprise-level threat for organizations unprepared for an attack. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as frequent unnamed viruses, not only encrypt online data but also infiltrate any accessible system protection mechanisms. Data synchronized to cloud environments can also be ransomed. In a poorly architected environment, it can make automated restore operations useless and effectively knocks the entire system back to square one.

Getting back programs and data following a ransomware event becomes a sprint against time as the targeted organization tries its best to stop lateral movement and clear the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are often sprung during nights and weekends, when attacks are likely to take more time to notice. This compounds the difficulty of promptly mobilizing and coordinating an experienced mitigation team.

Progent provides an assortment of services for securing businesses from ransomware events. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning technology to quickly identify and suppress day-zero cyber threats. Progent also can provide the services of veteran ransomware recovery professionals with the track record and commitment to reconstruct a breached system as rapidly as possible.

Progent's Ransomware Recovery Help
Following a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to decipher any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the mission-critical parts of your Information Technology environment. Absent access to essential system backups, this calls for a wide complement of skill sets, well-coordinated project management, and the capability to work continuously until the task is done.

For two decades, Progent has provided professional Information Technology services for companies in Irving and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience gives Progent the ability to quickly ascertain critical systems and consolidate the surviving parts of your IT system following a ransomware penetration and rebuild them into a functioning system.

Progent's ransomware group uses best of breed project management systems to coordinate the complex recovery process. Progent appreciates the urgency of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to put critical systems back on-line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Incident Restoration
A business hired Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, suspected of using strategies exposed from Americaís National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is one of the most profitable incarnations of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago with around 500 employees. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the beginning of the attack and were damaged. The client considered paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately reached out to Progent.


"I cannot tell you enough about the support Progent gave us throughout the most critical time of (our) businesses life. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent group provided us. The fact that you were able to get our e-mail and critical applications back into operation quicker than a week was earth shattering. Each expert I spoke to or communicated with at Progent was hell bent on getting us operational and was working 24/7 on our behalf."

Progent worked with the client to quickly determine and prioritize the most important applications that needed to be recovered in order to continue business functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes penetration response best practices by stopping lateral movement and clearing infected systems. Progent then started the work of recovering Microsoft Active Directory, the core of enterprise environments built upon Microsoft technology. Exchange messaging will not operate without AD, and the businessesí financials and MRP applications used Microsoft SQL, which requires Windows AD for security authorization to the databases.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery on key systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Data Files) on various workstations and laptops in order to recover mail information. A not too old offline backup of the customerís accounting software made them able to recover these required programs back available to users. Although major work needed to be completed to recover totally from the Ryuk damage, essential services were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer deliverables."

Over the following couple of weeks critical milestones in the recovery project were achieved in tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Exchange Server with over four million archived messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • 90% of the user PCs were operational.

"A huge amount of what went on in the initial days is nearly entirely a fog for me, but we will not soon forget the countless hours each of the team put in to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business-ending catastrophe was dodged with top-tier professionals, a wide array of IT skills, and tight teamwork. Although in hindsight the crypto-ransomware virus attack described here could have been disabled with modern security technology and ISO/IEC 27001 best practices, team education, and well designed security procedures for information backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thank you for making it so I could get rested after we made it over the initial push. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Irving a range of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the complete malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools packaged within one agent managed from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical files, applications and virtual machines that have become unavailable or damaged due to hardware failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced support to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security companies to deliver web-based control and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, enhance and troubleshoot their networking hardware like routers and switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating tedious network management processes, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating devices that need important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT staff and your Progent engineering consultant so that all potential issues can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can save as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7x365 Irving Ransomware Recovery Help, reach out to Progent at 800-993-9400 or go to Contact Progent.