Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that poses an existential threat for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. Modern strains of ransomware like Ryuk and Hermes, as well as daily unnamed malware, not only do encryption of online information but also infect many available system protection mechanisms. Information synchronized to the cloud can also be corrupted. In a poorly architected environment, this can make automatic restore operations impossible and effectively sets the datacenter back to zero.

Getting back applications and information following a ransomware attack becomes a race against the clock as the victim tries its best to contain and clear the ransomware and to resume business-critical activity. Because ransomware requires time to move laterally, assaults are frequently sprung at night, when successful penetrations may take longer to notice. This multiplies the difficulty of promptly assembling and orchestrating a capable response team.

Progent provides a range of services for protecting enterprises from ransomware events. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning technology to rapidly identify and extinguish zero-day cyber threats. Progent in addition offers the services of veteran crypto-ransomware recovery professionals with the talent and perseverance to restore a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
Following a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to decipher any of your information. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the mission-critical parts of your Information Technology environment. Without access to essential data backups, this calls for a wide complement of skills, professional team management, and the capability to work non-stop until the job is over.

For two decades, Progent has made available professional Information Technology services for companies in Lynnwood and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of expertise provides Progent the capability to quickly determine necessary systems and consolidate the remaining parts of your network system following a ransomware penetration and configure them into a functioning network.

Progent's security team of experts uses best of breed project management applications to orchestrate the complicated restoration process. Progent appreciates the urgency of working swiftly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to get critical applications back on line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A customer hired Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean state sponsored cybercriminals, suspected of using techniques leaked from the U.S. NSA organization. Ryuk targets specific companies with limited tolerance for disruption and is among the most lucrative examples of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but in the end called Progent.


"I cannot tell you enough in regards to the support Progent provided us throughout the most critical time of (our) companyís life. We would have paid the Hackers if it wasnít for the confidence the Progent experts gave us. That you were able to get our e-mail and production applications back into operation sooner than a week was something I thought impossible. Each staff member I spoke to or texted at Progent was hell bent on getting us restored and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly assess and assign priority to the essential applications that needed to be addressed in order to resume departmental operations:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident mitigation best practices by halting lateral movement and clearing infected systems. Progent then started the work of rebuilding Windows Active Directory, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the client's MRP applications leveraged SQL Server, which needs Windows AD for access to the databases.

Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then assisted with setup and hard drive recovery of mission critical applications. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on user PCs and laptops in order to recover mail messages. A not too old offline backup of the businesses manufacturing software made them able to recover these required applications back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, the most important systems were restored quickly:


"For the most part, the production line operation showed little impact and we made all customer deliverables."

Over the following few weeks important milestones in the restoration process were achieved in close collaboration between Progent team members and the customer:

  • Internal web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the user desktops and notebooks were functioning as before the incident.

"Much of what was accomplished those first few days is nearly entirely a blur for me, but my team will not soon forget the care each of your team accomplished to give us our company back. Iíve utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This event was a stunning achievement."

Conclusion
A potential business-killing catastrophe was avoided by dedicated professionals, a broad array of IT skills, and close teamwork. Although in hindsight the ransomware attack described here would have been identified and stopped with modern security technology and NIST Cybersecurity Framework best practices, team training, and appropriate incident response procedures for backup and applying software patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for letting me get rested after we made it past the first week. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Lynnwood a variety of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize modern machine learning technology to uncover zero-day strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to address the complete threat lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with legal and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables rapid restoration of critical data, applications and virtual machines that have become lost or corrupted due to hardware failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can provide world-class expertise to configure ProSight DPS to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to provide web-based management and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of inspection for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, track, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating complex management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that need important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT personnel and your Progent consultant so that all potential problems can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Lynnwood 24/7/365 Crypto Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.