Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an enterprise-level danger for businesses poorly prepared for an attack. Different iterations of crypto-ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of online data but also infiltrate most configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed system, it can make automatic restoration hopeless and effectively sets the entire system back to zero.

Retrieving programs and data following a ransomware intrusion becomes a race against the clock as the victim fights to stop lateral movement and eradicate the virus and to resume business-critical activity. Since ransomware requires time to spread, penetrations are frequently launched on weekends, when penetrations in many cases take more time to identify. This compounds the difficulty of promptly mobilizing and organizing a capable mitigation team.

Progent has a range of support services for securing businesses from crypto-ransomware penetrations. These include staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with AI capabilities to quickly discover and extinguish new cyber attacks. Progent in addition provides the assistance of veteran crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to decrypt any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000. The alternative is to re-install the essential elements of your IT environment. Without the availability of full system backups, this requires a broad range of IT skills, top notch team management, and the ability to work continuously until the recovery project is completed.

For decades, Progent has made available expert IT services for companies in Clearwater and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of expertise provides Progent the capability to knowledgably identify important systems and integrate the surviving pieces of your computer network system after a ransomware penetration and assemble them into a functioning network.

Progent's ransomware group has state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the urgency of acting swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to get critical systems back on line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business contacted Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is one of the most profitable examples of ransomware malware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot speak enough in regards to the expertise Progent provided us during the most fearful period of (our) companyís survival. We most likely would have paid the cyber criminals if not for the confidence the Progent group gave us. That you were able to get our messaging and critical servers back online in less than 1 week was incredible. Each expert I talked with or messaged at Progent was laser focused on getting us back on-line and was working all day and night to bail us out."

Progent worked with the customer to rapidly identify and prioritize the most important systems that had to be addressed in order to resume company operations:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed Anti-virus incident mitigation industry best practices by halting the spread and disinfecting systems. Progent then started the process of rebuilding Windows Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not work without Active Directory, and the customerís financials and MRP applications utilized SQL Server, which requires Active Directory services for access to the information.

In less than 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then helped perform rebuilding and storage recovery of key applications. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect local OST files (Outlook Email Offline Data Files) on staff desktop computers and laptops to recover email messages. A not too old offline backup of the businesses manufacturing systems made them able to return these essential applications back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, critical services were returned to operations rapidly:


"For the most part, the assembly line operation did not miss a beat and we delivered all customer orders."

During the following month critical milestones in the recovery process were accomplished in tight cooperation between Progent engineers and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Server containing more than four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were 100% restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the user desktops were fully operational.

"A huge amount of what went on in the early hours is mostly a fog for me, but my management will not soon forget the countless hours each and every one of you put in to give us our company back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This time was a stunning achievement."

Conclusion
A potential business-ending disaster was evaded due to results-oriented professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in hindsight the crypto-ransomware attack described here could have been blocked with up-to-date security systems and security best practices, user and IT administrator education, and properly executed security procedures for data backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for letting me get rested after we got through the most critical parts. All of you did an impressive effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Clearwater a range of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of crypto-ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the complete threat progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your company's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent's consultants can also help you to install and test a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates your backup activities and allows fast recovery of critical data, applications and VMs that have become unavailable or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver web-based management and world-class security for all your email traffic. The hybrid structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and debug their networking hardware like routers and switches, firewalls, and access points plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that need important updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so all potential issues can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Clearwater 24-Hour Crypto Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.