Ransomware : Your Feared IT Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that presents an extinction-level danger for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still cause destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus additional as yet unnamed viruses, not only encrypt online data but also infect any configured system backup. Data replicated to the cloud can also be corrupted. In a poorly architected system, this can render automated restoration hopeless and basically knocks the network back to square one.

Restoring services and information following a ransomware attack becomes a race against time as the targeted organization tries its best to stop lateral movement and clear the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware requires time to replicate, attacks are often launched during nights and weekends, when successful attacks may take more time to discover. This multiplies the difficulty of promptly mobilizing and orchestrating a capable mitigation team.

Progent offers a variety of services for protecting organizations from crypto-ransomware attacks. These include user education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with artificial intelligence technology to quickly identify and suppress new cyber threats. Progent also offers the assistance of veteran ransomware recovery consultants with the talent and commitment to restore a compromised network as soon as possible.

Progent's Ransomware Restoration Help
After a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the needed codes to unencrypt all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the critical components of your IT environment. Absent the availability of complete information backups, this calls for a wide range of IT skills, professional team management, and the ability to work non-stop until the recovery project is over.

For two decades, Progent has provided professional Information Technology services for businesses in Miami and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience affords Progent the skills to quickly understand necessary systems and organize the surviving parts of your IT environment following a crypto-ransomware event and configure them into an operational network.

Progent's ransomware group deploys top notch project management systems to coordinate the complicated recovery process. Progent appreciates the urgency of working rapidly and together with a customerís management and Information Technology team members to assign priority to tasks and to put essential services back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Attack Restoration
A customer escalated to Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, possibly using algorithms leaked from Americaís NSA organization. Ryuk seeks specific organizations with little tolerance for operational disruption and is among the most lucrative examples of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with around 500 employees. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200K) and praying for the best, but ultimately utilized Progent.


"I cannot thank you enough about the help Progent gave us during the most stressful period of (our) businesses survival. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent group gave us. The fact that you could get our e-mail and critical applications back on-line faster than seven days was earth shattering. Every single consultant I spoke to or e-mailed at Progent was absolutely committed on getting our company operational and was working non-stop on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the mission critical elements that had to be addressed to make it possible to resume departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes event response best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the work of rebuilding Windows Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the client's accounting and MRP software leveraged Microsoft SQL Server, which depends on Windows AD for access to the data.

Within 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then charged ahead with setup and storage recovery of the most important applications. All Microsoft Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops in order to recover email messages. A not too old offline backup of the client's accounting/MRP systems made it possible to recover these required programs back online for users. Although a large amount of work remained to recover completely from the Ryuk attack, core systems were restored quickly:


"For the most part, the manufacturing operation survived unscathed and we did not miss any customer shipments."

Over the following couple of weeks important milestones in the recovery process were achieved in tight cooperation between Progent engineers and the client:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were fully operational.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the desktop computers were functioning as before the incident.

"A lot of what was accomplished those first few days is nearly entirely a fog for me, but I will not forget the care all of you accomplished to help get our company back. I have trusted Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A likely business-ending catastrophe was avoided due to hard-working professionals, a broad array of technical expertise, and close collaboration. Although upon completion of forensics the ransomware virus incident described here should have been prevented with modern security technology and ISO/IEC 27001 best practices, user education, and appropriate incident response procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were contributing), thank you for making it so I could get some sleep after we made it over the initial push. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Miami a portfolio of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the complete threat progression including protection, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge tools packaged within a single agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of vital files, apps and virtual machines that have become unavailable or corrupted due to component failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to deliver web-based control and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, reconfigure and troubleshoot their networking hardware like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management processes, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding appliances that need important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your network running efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT staff and your Progent consultant so any potential issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Miami Crypto-Ransomware Repair Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.