Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for organizations vulnerable to an attack. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict havoc. Recent versions of ransomware like Ryuk and Hermes, along with frequent as yet unnamed viruses, not only encrypt on-line data files but also infect most configured system restores and backups. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed system, it can render any restore operations useless and effectively knocks the entire system back to zero.

Retrieving programs and information following a crypto-ransomware intrusion becomes a race against time as the victim struggles to contain and eradicate the crypto-ransomware and to resume enterprise-critical operations. Because ransomware requires time to spread, assaults are frequently launched at night, when penetrations are likely to take longer to uncover. This multiplies the difficulty of quickly assembling and organizing a qualified response team.

Progent provides a range of services for securing organizations from ransomware events. Among these are user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with AI technology to automatically identify and extinguish day-zero cyber threats. Progent also offers the assistance of veteran ransomware recovery engineers with the skills and commitment to rebuild a compromised system as soon as possible.

Progent's Ransomware Restoration Services
Following a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to decipher all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the vital parts of your IT environment. Absent the availability of complete information backups, this calls for a wide complement of IT skills, top notch project management, and the ability to work non-stop until the task is over.

For decades, Progent has provided expert IT services for businesses in Plano and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience gives Progent the ability to efficiently ascertain necessary systems and integrate the remaining components of your Information Technology system after a ransomware penetration and rebuild them into a functioning network.

Progent's security team of experts utilizes best of breed project management systems to orchestrate the complicated restoration process. Progent knows the urgency of acting quickly and together with a customerís management and Information Technology team members to prioritize tasks and to get the most important applications back online as soon as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A customer sought out Progent after their network was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, possibly adopting techniques leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little tolerance for disruption and is one of the most profitable instances of crypto-ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago with around 500 staff members. The Ryuk penetration had frozen all essential operations and manufacturing processes. Most of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end brought in Progent.


"I cannot thank you enough about the support Progent gave us during the most critical period of (our) companyís life. We most likely would have paid the cyber criminals except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and critical servers back online faster than a week was something I thought impossible. Every single expert I interacted with or e-mailed at Progent was laser focused on getting our company operational and was working at all hours to bail us out."

Progent worked with the customer to quickly identify and prioritize the mission critical systems that had to be addressed in order to continue company functions:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting/MRP
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the task of restoring Windows Active Directory, the heart of enterprise systems built on Microsoft technology. Exchange email will not operate without Windows AD, and the businessesí MRP system leveraged Microsoft SQL, which needs Active Directory services for access to the databases.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on mission critical servers. All Microsoft Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on team desktop computers and laptops in order to recover email information. A recent offline backup of the client's accounting systems made them able to recover these vital services back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, essential systems were restored rapidly:


"For the most part, the assembly line operation showed little impact and we made all customer deliverables."

Throughout the next month important milestones in the restoration process were achieved through tight collaboration between Progent consultants and the customer:

  • In-house web sites were restored without losing any data.
  • The MailStore Exchange Server exceeding four million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100% operational.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"So much of what transpired that first week is nearly entirely a blur for me, but I will not soon forget the care each and every one of the team put in to give us our business back. I have been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."

Conclusion
A likely enterprise-killing disaster was dodged due to hard-working experts, a broad range of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware virus attack detailed here could have been shut down with up-to-date security technology solutions and ISO/IEC 27001 best practices, staff education, and well designed security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), thank you for letting me get some sleep after we got past the first week. Everyone did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Plano a range of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include modern artificial intelligence technology to detect new strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including protection, identification, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies packaged within a single agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate action. Progent can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid recovery of critical files, applications and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to provide centralized control and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, reconfigure and troubleshoot their connectivity hardware such as switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always updated, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, locating appliances that need important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your network running at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so any potential problems can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hosting solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7 Plano Ransomware Repair Help, reach out to Progent at 800-993-9400 or go to Contact Progent.