Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that poses an extinction-level threat for organizations unprepared for an attack. Different versions of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause destruction. Newer strains of ransomware such as Ryuk and Hermes, as well as more unnamed newcomers, not only encrypt online data files but also infiltrate all accessible system restores and backups. Data synched to cloud environments can also be rendered useless. In a poorly designed environment, this can render automated restoration hopeless and effectively knocks the network back to square one.

Getting back services and data following a ransomware outage becomes a race against the clock as the targeted organization struggles to contain and cleanup the ransomware and to resume mission-critical operations. Because ransomware takes time to move laterally, penetrations are usually launched on weekends, when successful penetrations in many cases take more time to notice. This multiplies the difficulty of promptly marshalling and organizing an experienced mitigation team.

Progent has a variety of support services for protecting enterprises from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with machine learning technology to quickly detect and disable new cyber attacks. Progent also can provide the services of expert ransomware recovery professionals with the skills and commitment to rebuild a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the keys to unencrypt all your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to setup from scratch the mission-critical elements of your Information Technology environment. Without the availability of essential data backups, this requires a broad complement of IT skills, top notch project management, and the ability to work continuously until the task is complete.

For twenty years, Progent has offered certified expert IT services for businesses in Lawrence and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience gives Progent the ability to quickly ascertain necessary systems and integrate the remaining pieces of your computer network environment following a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of acting swiftly and in unison with a client's management and Information Technology team members to prioritize tasks and to get the most important systems back online as fast as humanly possible.

Customer Story: A Successful Ransomware Intrusion Response
A client engaged Progent after their company was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, possibly using approaches leaked from the U.S. NSA organization. Ryuk attacks specific organizations with limited room for disruption and is one of the most lucrative versions of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has about 500 workers. The Ryuk penetration had disabled all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I cannot say enough in regards to the expertise Progent provided us during the most stressful time of (our) companyís existence. We would have paid the cyber criminals if it wasnít for the confidence the Progent experts provided us. That you could get our e-mail and essential applications back on-line in less than one week was beyond my wildest dreams. Each staff member I interacted with or texted at Progent was urgently focused on getting us restored and was working all day and night on our behalf."

Progent worked with the customer to rapidly assess and assign priority to the critical elements that needed to be recovered in order to continue company operations:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent adhered to ransomware incident response best practices by halting the spread and clearing up compromised systems. Progent then began the process of restoring Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the client's accounting and MRP system leveraged SQL Server, which requires Active Directory services for security authorization to the databases.

In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then performed rebuilding and hard drive recovery of critical systems. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Folder Files) on user PCs in order to recover mail data. A recent off-line backup of the businesses manufacturing software made them able to restore these vital services back online for users. Although major work needed to be completed to recover completely from the Ryuk attack, critical services were recovered quickly:


"For the most part, the production line operation survived unscathed and we produced all customer orders."

Over the following month critical milestones in the restoration process were made in tight cooperation between Progent engineers and the client:

  • In-house web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Ninety percent of the user workstations were operational.

"So much of what was accomplished in the early hours is mostly a haze for me, but I will not forget the dedication all of you accomplished to help get our company back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has come through and delivered. This event was no exception but maybe more Herculean."

Conclusion
A potential business disaster was dodged by top-tier professionals, a wide range of IT skills, and tight teamwork. Although in hindsight the ransomware attack detailed here would have been identified and disabled with modern cyber security solutions and ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get some sleep after we got over the initial fire. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Lawrence a range of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate modern machine learning capability to detect new variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily get by legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to address the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry information security standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates your backup activities and enables fast recovery of vital files, apps and VMs that have become unavailable or damaged as a result of hardware breakdowns, software bugs, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security companies to deliver web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of inspection for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, reconfigure and debug their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management processes, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding devices that require critical updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network running efficiently by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that all looming problems can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24/7 Lawrence Ransomware Repair Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.