Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that represents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. Newer strains of crypto-ransomware such as Ryuk and Hermes, as well as additional unnamed newcomers, not only encrypt online critical data but also infiltrate all configured system protection. Files synched to the cloud can also be corrupted. In a poorly architected system, it can make automatic restore operations impossible and basically knocks the network back to zero.

Getting back applications and data following a crypto-ransomware outage becomes a sprint against time as the targeted organization fights to stop lateral movement and clear the ransomware and to restore enterprise-critical activity. Since ransomware takes time to replicate, assaults are often sprung on weekends, when attacks may take longer to detect. This multiplies the difficulty of rapidly assembling and coordinating a qualified response team.

Progent provides a range of services for securing enterprises from ransomware penetrations. These include team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with artificial intelligence technology to automatically identify and disable new threats. Progent also can provide the assistance of experienced crypto-ransomware recovery engineers with the track record and perseverance to reconstruct a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decipher any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the essential components of your IT environment. Absent access to full data backups, this requires a wide complement of IT skills, professional project management, and the willingness to work 24x7 until the task is over.

For twenty years, Progent has made available professional IT services for businesses in Lynnwood and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise provides Progent the capability to quickly identify critical systems and integrate the surviving pieces of your Information Technology environment following a crypto-ransomware penetration and assemble them into an operational system.

Progent's recovery team utilizes state-of-the-art project management systems to coordinate the complex restoration process. Progent appreciates the importance of working swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get critical systems back on line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer sought out Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using techniques exposed from the U.S. NSA organization. Ryuk seeks specific organizations with little ability to sustain operational disruption and is one of the most profitable incarnations of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago and has around 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.


"I canít thank you enough about the help Progent gave us throughout the most stressful period of (our) companyís existence. We would have paid the Hackers except for the confidence the Progent group afforded us. That you could get our messaging and critical servers back in less than 1 week was earth shattering. Every single expert I interacted with or communicated with at Progent was urgently focused on getting our system up and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly get our arms around and prioritize the essential services that had to be restored to make it possible to continue departmental operations:

  • Active Directory (AD)
  • Email
  • Financials/MRP
To begin, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and performing virus removal steps. Progent then started the steps of bringing back online Microsoft AD, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange messaging will not operate without AD, and the businessesí financials and MRP system utilized Microsoft SQL, which requires Windows AD for access to the database.

In less than 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then completed setup and storage recovery on needed applications. All Exchange schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find local OST data files (Microsoft Outlook Offline Data Files) on user workstations and laptops in order to recover email messages. A not too old off-line backup of the client's financials/ERP software made it possible to restore these vital programs back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, essential services were restored quickly:


"For the most part, the assembly line operation showed little impact and we produced all customer deliverables."

Over the next couple of weeks key milestones in the recovery project were accomplished in tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Server exceeding 4 million historical messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully operational.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the desktop computers were functioning as before the incident.

"Much of what transpired in the initial days is mostly a haze for me, but our team will not forget the care all of your team accomplished to give us our company back. Iíve been working together with Progent for the past ten years, possibly more, and every time Progent has come through and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable company-ending disaster was avoided by results-oriented experts, a wide array of subject matter expertise, and tight teamwork. Although in hindsight the ransomware virus penetration described here could have been identified and prevented with up-to-date security systems and security best practices, team education, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we made it through the initial fire. All of you did an fabulous job, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Lynnwood a portfolio of online monitoring and security evaluation services designed to assist you to reduce the threat from crypto-ransomware. These services include modern artificial intelligence capability to detect zero-day variants of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-based AV products. ProSight ASM protects local and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP environment that meets your company's unique needs and that helps you prove compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup processes and allows rapid restoration of vital files, applications and VMs that have become lost or damaged as a result of hardware breakdowns, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security companies to deliver web-based management and comprehensive security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper layer of analysis for incoming email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, monitor, enhance and debug their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are always current, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating complex management processes, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to keep your network operating efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management staff and your Progent consultant so all potential issues can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Lynnwood 24x7x365 Ransomware Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.