Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that represents an enterprise-level danger for organizations vulnerable to an attack. Multiple generations of ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate most available system backups. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly designed system, this can render automatic restoration hopeless and basically knocks the entire system back to zero.

Recovering programs and data after a crypto-ransomware intrusion becomes a sprint against time as the targeted organization tries its best to contain and remove the virus and to restore mission-critical operations. Because ransomware needs time to replicate, penetrations are frequently launched on weekends, when penetrations are likely to take more time to notice. This compounds the difficulty of rapidly assembling and orchestrating an experienced mitigation team.

Progent provides a range of solutions for protecting enterprises from ransomware attacks. Among these are staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security appliances with artificial intelligence technology to rapidly identify and suppress new cyber threats. Progent in addition can provide the services of expert ransomware recovery engineers with the skills and perseverance to re-deploy a compromised system as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware event, even paying the ransom in cryptocurrency does not ensure that distant criminals will provide the codes to decrypt any of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the vital components of your Information Technology environment. Without the availability of complete system backups, this requires a broad range of skill sets, top notch project management, and the ability to work continuously until the task is completed.

For decades, Progent has made available expert Information Technology services for companies in Kansas City and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the skills to quickly determine important systems and re-organize the remaining parts of your network environment after a ransomware penetration and rebuild them into an operational system.

Progent's security team uses state-of-the-art project management systems to orchestrate the complicated restoration process. Progent knows the importance of acting quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to get essential applications back on-line as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Intrusion Response
A customer escalated to Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state sponsored cybercriminals, suspected of adopting techniques exposed from the United States NSA organization. Ryuk attacks specific businesses with little ability to sustain disruption and is among the most lucrative iterations of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area and has around 500 employees. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's information backups had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (in excess of $200K) and praying for the best, but ultimately brought in Progent.


"I canít speak enough about the support Progent gave us throughout the most stressful period of (our) companyís existence. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent group afforded us. That you were able to get our messaging and essential servers back on-line quicker than five days was beyond my wildest dreams. Each consultant I spoke to or communicated with at Progent was totally committed on getting us working again and was working all day and night on our behalf."

Progent worked together with the client to quickly assess and prioritize the essential systems that needed to be recovered in order to restart company functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent adhered to ransomware event response industry best practices by halting the spread and clearing up compromised systems. Progent then initiated the process of rebuilding Microsoft AD, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not operate without AD, and the businessesí MRP software utilized SQL Server, which needs Windows AD for security authorization to the information.

In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then initiated reinstallations and hard drive recovery of mission critical systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Data Files) on team PCs and laptops to recover mail messages. A recent offline backup of the client's accounting/ERP systems made it possible to return these essential applications back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk virus, core systems were recovered quickly:


"For the most part, the production line operation survived unscathed and we produced all customer sales."

Over the following few weeks critical milestones in the recovery process were achieved through tight cooperation between Progent engineers and the customer:

  • In-house web sites were restored without losing any information.
  • The MailStore Exchange Server containing more than four million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the user desktops were fully operational.

"A lot of what was accomplished in the early hours is mostly a haze for me, but we will not soon forget the care each of the team put in to give us our company back. Iíve entrusted Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was a life saver."

Conclusion
A possible business-killing disaster was dodged due to hard-working professionals, a wide spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration described here would have been identified and blocked with up-to-date cyber security technology and ISO/IEC 27001 best practices, user training, and appropriate security procedures for information backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it past the first week. All of you did an impressive effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Kansas City a range of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence capability to uncover zero-day variants of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a unified platform to address the entire malware attack lifecycle including blocking, identification, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates and monitors your backup processes and enables rapid recovery of critical data, apps and VMs that have become lost or damaged due to hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide web-based management and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps most threats from making it to your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, track, optimize and troubleshoot their connectivity appliances like routers, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating time-consuming management processes, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT staff and your assigned Progent engineering consultant so that all looming issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Kansas City Ransomware Repair Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.