Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict damage. The latest variants of crypto-ransomware like Ryuk and Hermes, plus daily unnamed malware, not only encrypt on-line information but also infiltrate all accessible system protection mechanisms. Files replicated to the cloud can also be encrypted. In a poorly designed data protection solution, this can make any recovery useless and effectively knocks the datacenter back to zero.

Getting back on-line programs and information after a crypto-ransomware event becomes a race against the clock as the targeted business fights to stop the spread and eradicate the ransomware and to resume business-critical operations. Because ransomware takes time to spread, assaults are frequently launched during weekends and nights, when penetrations tend to take more time to uncover. This multiplies the difficulty of rapidly assembling and coordinating a capable response team.

Progent has an assortment of help services for protecting enterprises from ransomware events. Among these are user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security gateways with AI capabilities to intelligently identify and suppress new threats. Progent also offers the services of experienced crypto-ransomware recovery professionals with the skills and commitment to re-deploy a breached environment as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the needed keys to unencrypt any or all of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the mission-critical elements of your Information Technology environment. Without access to essential data backups, this requires a wide range of skills, professional project management, and the capability to work non-stop until the task is completed.

For two decades, Progent has provided professional IT services for companies in Tucson and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of expertise gives Progent the ability to quickly ascertain critical systems and integrate the surviving parts of your Information Technology system following a ransomware attack and configure them into a functioning system.

Progent's ransomware team has best of breed project management systems to orchestrate the complicated recovery process. Progent knows the urgency of acting quickly and in concert with a customerís management and IT resources to assign priority to tasks and to get key services back online as soon as humanly possible.

Customer Story: A Successful Ransomware Virus Recovery
A business sought out Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored cybercriminals, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk targets specific organizations with little tolerance for disruption and is one of the most profitable incarnations of ransomware viruses. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago with around 500 employees. The Ryuk attack had shut down all business operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end called Progent.


"I canít say enough about the support Progent provided us throughout the most fearful time of (our) businesses survival. We most likely would have paid the cybercriminals except for the confidence the Progent group afforded us. The fact that you could get our e-mail system and key servers back on-line in less than one week was beyond my wildest dreams. Every single expert I worked with or e-mailed at Progent was amazingly focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked together with the client to quickly get our arms around and assign priority to the essential services that needed to be recovered in order to resume business functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the task of restoring Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the customerís MRP software leveraged Microsoft SQL Server, which requires Windows AD for security authorization to the information.

In less than 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed rebuilding and hard drive recovery of needed servers. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to find intact OST files (Outlook Email Off-Line Folder Files) on team PCs and laptops to recover mail data. A recent offline backup of the businesses accounting/ERP systems made them able to restore these essential programs back available to users. Although significant work still had to be done to recover totally from the Ryuk event, critical services were recovered quickly:


"For the most part, the production operation did not miss a beat and we did not miss any customer orders."

During the following few weeks key milestones in the restoration project were achieved through tight collaboration between Progent consultants and the customer:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were fully functional.
  • A new Palo Alto Networks 850 firewall was brought online.
  • 90% of the user desktops were functioning as before the incident.

"A huge amount of what transpired those first few days is nearly entirely a blur for me, but my management will not soon forget the dedication each of you put in to help get our company back. I have entrusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This event was the most impressive ever."

Conclusion
A potential company-ending catastrophe was avoided through the efforts of results-oriented experts, a broad spectrum of technical expertise, and tight collaboration. Although in hindsight the ransomware incident described here could have been blocked with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for letting me get rested after we made it over the first week. All of you did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Tucson a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to detect new strains of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the complete threat progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your company's unique needs and that helps you prove compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables fast restoration of vital files, apps and VMs that have become lost or damaged as a result of component failures, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver advanced expertise to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to recover your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver centralized management and comprehensive security for all your email traffic. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further level of analysis for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, enhance and debug their connectivity hardware such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, locating devices that need important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so all looming problems can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate as much as half of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24-7 Tucson Crypto Repair Experts, call Progent at 800-993-9400 or go to Contact Progent.