Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyberplague that represents an existential threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause harm. Newer variants of ransomware like Ryuk and Hermes, as well as frequent unnamed viruses, not only encrypt online data files but also infiltrate any accessible system backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can make any restore operations hopeless and effectively sets the entire system back to zero.

Retrieving applications and information after a ransomware intrusion becomes a race against the clock as the victim struggles to stop lateral movement and clear the ransomware and to restore business-critical operations. Due to the fact that ransomware takes time to spread, penetrations are usually sprung at night, when successful attacks typically take longer to recognize. This compounds the difficulty of promptly assembling and organizing a qualified response team.

Progent makes available an assortment of solutions for securing organizations from ransomware penetrations. These include team education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with artificial intelligence capabilities to intelligently detect and extinguish zero-day threats. Progent also provides the services of seasoned crypto-ransomware recovery engineers with the track record and commitment to re-deploy a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that cyber hackers will return the keys to unencrypt all your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the key elements of your IT environment. Without access to essential information backups, this calls for a wide range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the task is over.

For two decades, Progent has made available professional IT services for companies in Jacksonville and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise provides Progent the capability to quickly ascertain important systems and organize the remaining components of your computer network environment following a crypto-ransomware attack and configure them into a functioning network.

Progent's security group has state-of-the-art project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of acting quickly and in concert with a customerís management and IT staff to assign priority to tasks and to put the most important services back on line as soon as possible.

Customer Case Study: A Successful Ransomware Intrusion Restoration
A client escalated to Progent after their network system was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly adopting techniques leaked from the United States National Security Agency. Ryuk seeks specific companies with limited ability to sustain disruption and is one of the most lucrative incarnations of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.


"I canít speak enough in regards to the support Progent provided us during the most stressful period of (our) companyís life. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team provided us. The fact that you could get our messaging and important applications back on-line sooner than five days was beyond my wildest dreams. Every single consultant I got help from or communicated with at Progent was urgently focused on getting our system up and was working non-stop on our behalf."

Progent worked together with the client to rapidly understand and prioritize the mission critical applications that needed to be recovered in order to restart departmental functions:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and disinfecting systems. Progent then started the process of recovering Active Directory, the foundation of enterprise systems built upon Microsoft technology. Exchange email will not work without Windows AD, and the client's accounting and MRP applications leveraged Microsoft SQL, which depends on Active Directory services for access to the databases.

Within two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then charged ahead with setup and hard drive recovery of needed servers. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Offline Folder Files) on team PCs and laptops in order to recover mail messages. A not too old off-line backup of the client's accounting/MRP software made it possible to return these required services back servicing users. Although a lot of work was left to recover completely from the Ryuk event, critical systems were restored quickly:


"For the most part, the production operation showed little impact and we did not miss any customer deliverables."

During the next few weeks key milestones in the recovery process were completed in close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than four million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100% recovered.
  • A new Palo Alto 850 firewall was brought online.
  • 90% of the desktop computers were operational.

"So much of what happened during the initial response is mostly a blur for me, but I will not soon forget the countless hours all of you put in to give us our company back. I have been working with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was the most impressive ever."

Conclusion
A possible business-killing catastrophe was averted by dedicated professionals, a broad range of IT skills, and tight collaboration. Although upon completion of forensics the ransomware virus incident detailed here would have been disabled with up-to-date security solutions and best practices, user and IT administrator education, and well designed security procedures for information protection and applying software patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for letting me get rested after we made it over the initial fire. Everyone did an fabulous effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Jacksonville a range of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services utilize modern artificial intelligence technology to uncover new variants of crypto-ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete threat progression including blocking, detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for immediate attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables rapid recovery of critical files, apps and virtual machines that have become unavailable or damaged as a result of component failures, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's BDR specialists can provide world-class support to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with a local gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of analysis for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email that stays within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, enhance and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating appliances that need important software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management techniques to keep your network operating efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT personnel and your assigned Progent consultant so any potential problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Jacksonville Crypto-Ransomware Recovery Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.