Ransomware : Your Worst IT Disaster
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that poses an enterprise-level danger for organizations unprepared for an assault. Different iterations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still cause harm. Newer variants of ransomware such as Ryuk and Hermes, along with daily as yet unnamed newcomers, not only do encryption of online data files but also infiltrate all configured system backups. Files synched to cloud environments can also be corrupted. In a vulnerable environment, it can render any restoration impossible and basically sets the datacenter back to square one.

Getting back online programs and information following a ransomware event becomes a sprint against time as the targeted organization struggles to contain and eradicate the ransomware and to resume mission-critical operations. Since ransomware takes time to spread, assaults are frequently sprung on weekends and holidays, when penetrations in many cases take more time to recognize. This multiplies the difficulty of quickly mobilizing and organizing an experienced response team.

Progent offers a variety of services for protecting enterprises from ransomware events. These include team education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with artificial intelligence technology to automatically identify and extinguish zero-day threats. Progent also offers the assistance of seasoned ransomware recovery engineers with the talent and commitment to re-deploy a breached system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decrypt all your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the essential parts of your IT environment. Without access to full data backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work non-stop until the task is done.

For decades, Progent has made available professional IT services for companies in Clearwater and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience gives Progent the ability to efficiently identify important systems and organize the remaining components of your network environment after a ransomware event and assemble them into an operational system.

Progent's ransomware team utilizes powerful project management tools to orchestrate the complicated recovery process. Progent understands the urgency of acting swiftly and in concert with a customerís management and IT team members to prioritize tasks and to get the most important systems back on line as soon as possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A client sought out Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state cybercriminals, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with limited room for disruption and is among the most profitable incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but ultimately engaged Progent.


"I cannot tell you enough about the expertise Progent gave us throughout the most fearful time of (our) businesses survival. We would have paid the Hackers if it wasnít for the confidence the Progent experts provided us. The fact that you could get our e-mail system and essential servers back sooner than one week was earth shattering. Each expert I worked with or e-mailed at Progent was laser focused on getting us restored and was working 24/7 on our behalf."

Progent worked with the customer to rapidly get our arms around and assign priority to the critical applications that needed to be recovered in order to restart departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Financials/MRP
To get going, Progent followed Anti-virus incident response industry best practices by halting the spread and disinfecting systems. Progent then initiated the task of recovering Windows Active Directory, the key technology of enterprise systems built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the client's accounting and MRP applications leveraged SQL Server, which needs Active Directory for security authorization to the database.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then initiated rebuilding and storage recovery on key systems. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Data Files) on various PCs to recover mail data. A recent offline backup of the businesses financials/ERP software made them able to return these essential programs back on-line. Although significant work needed to be completed to recover totally from the Ryuk damage, essential services were returned to operations rapidly:


"For the most part, the production operation showed little impact and we delivered all customer deliverables."

Over the following couple of weeks important milestones in the restoration process were achieved in close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Exchange Server with over four million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were completely operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the desktops and laptops were back into operation.

"A lot of what went on that first week is mostly a fog for me, but we will not forget the dedication each and every one of the team put in to help get our business back. I have entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was a stunning achievement."

Conclusion
A potential business-killing catastrophe was avoided due to top-tier professionals, a wide array of technical expertise, and close collaboration. Although upon completion of forensics the ransomware attack described here would have been identified and disabled with up-to-date security technology and recognized best practices, team training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thank you for allowing me to get rested after we made it through the initial fire. All of you did an amazing job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Clearwater a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day variants of crypto-ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also help your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed solution for secure backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital data, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can deliver world-class support to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their networking hardware like routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding appliances that need critical software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system running efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.
For 24-7 Clearwater Ransomware Repair Services, reach out to Progent at 800-993-9400 or go to Contact Progent.