Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an existential threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to cause havoc. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional unnamed viruses, not only encrypt online information but also infect any available system backup. Information synched to cloud environments can also be encrypted. In a poorly designed environment, this can make any restore operations impossible and basically knocks the entire system back to square one.

Getting back applications and information following a ransomware outage becomes a sprint against time as the victim struggles to contain and clear the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to spread, assaults are often launched on weekends and holidays, when penetrations tend to take longer to uncover. This compounds the difficulty of quickly marshalling and organizing a capable mitigation team.

Progent has a variety of help services for securing businesses from ransomware penetrations. Among these are team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with machine learning technology to quickly discover and suppress day-zero threats. Progent also can provide the assistance of expert ransomware recovery engineers with the talent and commitment to rebuild a compromised system as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the keys to unencrypt any of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the vital components of your Information Technology environment. Absent the availability of essential data backups, this requires a broad range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the job is finished.

For decades, Progent has offered professional IT services for businesses in Providence and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise gives Progent the ability to efficiently determine important systems and consolidate the surviving pieces of your IT environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's ransomware group utilizes state-of-the-art project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and in unison with a customerís management and IT staff to assign priority to tasks and to get the most important applications back online as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Response
A business sought out Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state hackers, suspected of using strategies leaked from the U.S. NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is among the most profitable instances of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with around 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the time of the attack and were damaged. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.


"I canít tell you enough in regards to the care Progent gave us throughout the most critical time of (our) companyís life. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent group provided us. The fact that you were able to get our e-mail and production servers back into operation in less than 1 week was beyond my wildest dreams. Every single expert I talked with or communicated with at Progent was laser focused on getting us working again and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly identify and prioritize the critical applications that needed to be restored to make it possible to restart business functions:

  • Active Directory (AD)
  • Electronic Messaging
  • MRP System
To start, Progent adhered to ransomware penetration response best practices by isolating and removing active viruses. Progent then started the steps of restoring Windows Active Directory, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not work without AD, and the customerís MRP system used Microsoft SQL Server, which depends on Active Directory for authentication to the data.

In less than two days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery of critical systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find local OST files (Outlook Email Off-Line Folder Files) on team workstations in order to recover mail messages. A recent off-line backup of the client's manufacturing software made them able to return these vital applications back servicing users. Although a lot of work remained to recover completely from the Ryuk virus, essential systems were recovered rapidly:


"For the most part, the production manufacturing operation was never shut down and we did not miss any customer orders."

Throughout the next couple of weeks key milestones in the recovery process were completed through close cooperation between Progent team members and the customer:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the desktops and laptops were operational.

"A lot of what was accomplished during the initial response is mostly a haze for me, but I will not forget the countless hours each and every one of you accomplished to give us our business back. Iíve been working with Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A potential enterprise-killing catastrophe was evaded with top-tier experts, a broad array of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware virus penetration described here should have been shut down with up-to-date security systems and ISO/IEC 27001 best practices, staff training, and appropriate security procedures for information backup and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get some sleep after we made it through the most critical parts. Everyone did an amazing job, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Providence a portfolio of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services include modern machine learning capability to detect zero-day strains of crypto-ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete threat progression including blocking, identification, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's unique requirements and that allows you prove compliance with legal and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates your backup activities and allows fast recovery of vital data, applications and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security companies to deliver web-based control and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating tedious network management processes, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating devices that require critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT personnel and your Progent engineering consultant so any looming problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away searching for critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Providence Ransomware Removal Help, reach out to Progent at 800-993-9400 or go to Contact Progent.