Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses vulnerable to an attack. Different iterations of ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as additional as yet unnamed viruses, not only do encryption of on-line data but also infect many accessible system restores and backups. Data synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make any recovery useless and basically knocks the network back to zero.

Recovering services and data after a ransomware outage becomes a sprint against the clock as the victim fights to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware needs time to move laterally, assaults are often launched during nights and weekends, when attacks tend to take more time to discover. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced response team.

Progent provides a range of support services for protecting organizations from ransomware penetrations. These include team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with artificial intelligence capabilities to automatically identify and disable zero-day cyber threats. Progent in addition offers the assistance of expert ransomware recovery engineers with the skills and perseverance to reconstruct a breached system as urgently as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, sending the ransom in cryptocurrency does not ensure that cyber criminals will provide the codes to decrypt all your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to setup from scratch the essential components of your IT environment. Without access to full system backups, this requires a wide complement of skill sets, professional project management, and the ability to work 24x7 until the task is complete.

For two decades, Progent has provided certified expert IT services for businesses in Las Vegas and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly identify important systems and consolidate the remaining components of your computer network environment following a crypto-ransomware penetration and assemble them into a functioning system.

Progent's ransomware team has state-of-the-art project management tools to orchestrate the complicated restoration process. Progent appreciates the urgency of acting swiftly and together with a client's management and IT team members to assign priority to tasks and to put the most important services back online as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Restoration
A client hired Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored hackers, possibly using approaches exposed from the United States National Security Agency. Ryuk goes after specific companies with little tolerance for operational disruption and is among the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago and has around 500 staff members. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's backups had been online at the time of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200,000) and hoping for the best, but in the end brought in Progent.


"I cannot speak enough in regards to the support Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the Hackers if it wasnít for the confidence the Progent group afforded us. That you could get our messaging and important applications back on-line in less than a week was amazing. Every single person I got help from or communicated with at Progent was urgently focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the key applications that needed to be addressed to make it possible to restart business operations:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To get going, Progent followed ransomware event response industry best practices by isolating and cleaning up infected systems. Progent then began the task of rebuilding Microsoft AD, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customerís financials and MRP applications utilized SQL Server, which needs Active Directory services for authentication to the database.

Within two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery of essential servers. All Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Offline Data Files) on staff PCs and laptops in order to recover mail data. A recent offline backup of the client's financials/ERP systems made them able to return these required services back online. Although major work was left to recover completely from the Ryuk virus, essential systems were returned to operations quickly:


"For the most part, the production line operation was never shut down and we did not miss any customer shipments."

Over the next couple of weeks critical milestones in the recovery process were made through tight cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the desktops and laptops were operational.

"Much of what happened in the early hours is nearly entirely a haze for me, but my management will not soon forget the care each and every one of the team accomplished to help get our company back. Iíve been working together with Progent for at least 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A probable business-killing catastrophe was evaded with hard-working professionals, a broad spectrum of IT skills, and tight teamwork. Although in post mortem the crypto-ransomware incident detailed here should have been blocked with current security solutions and NIST Cybersecurity Framework best practices, user education, and appropriate incident response procedures for information protection and applying software patches, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get some sleep after we made it past the first week. All of you did an fabulous job, and if anyone is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Las Vegas a variety of remote monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation AI capability to uncover new variants of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to address the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with legal and industry data protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of vital data, apps and VMs that have become unavailable or corrupted as a result of hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to recover your business-critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to deliver centralized management and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of inspection for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to diagram, track, reconfigure and debug their connectivity appliances like switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are kept updated, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating time-consuming network management processes, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding devices that need critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT personnel and your assigned Progent consultant so any potential problems can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hosting solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Read more about ProSight IT Asset Management service.
For Las Vegas 24-Hour Crypto-Ransomware Removal Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.