Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an existential danger for organizations vulnerable to an attack. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. The latest versions of ransomware like Ryuk and Hermes, along with frequent as yet unnamed viruses, not only encrypt online data files but also infiltrate any configured system protection mechanisms. Files synched to cloud environments can also be ransomed. In a poorly designed data protection solution, it can make automated restoration hopeless and effectively sets the network back to square one.

Getting back online applications and data after a crypto-ransomware attack becomes a sprint against the clock as the victim fights to stop the spread and clear the ransomware and to resume mission-critical activity. Because ransomware takes time to replicate, penetrations are usually sprung at night, when successful penetrations may take longer to recognize. This multiplies the difficulty of quickly assembling and organizing a knowledgeable response team.

Progent provides a variety of services for protecting businesses from crypto-ransomware penetrations. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with machine learning capabilities to rapidly detect and extinguish day-zero cyber threats. Progent also provides the assistance of expert ransomware recovery professionals with the skills and perseverance to restore a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
After a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will return the needed keys to decrypt any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the vital elements of your IT environment. Absent access to full system backups, this calls for a broad range of IT skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is done.

For decades, Progent has made available expert Information Technology services for businesses in Albuquerque and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience affords Progent the ability to quickly determine important systems and re-organize the surviving parts of your network environment after a ransomware penetration and assemble them into a functioning system.

Progent's security team uses powerful project management tools to coordinate the sophisticated restoration process. Progent knows the urgency of acting rapidly and in concert with a customerís management and IT resources to assign priority to tasks and to get key applications back online as fast as possible.

Client Case Study: A Successful Ransomware Virus Recovery
A customer sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored hackers, suspected of adopting strategies exposed from Americaís National Security Agency. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most lucrative versions of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk event had frozen all company operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the intrusion and were eventually encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.


"I cannot say enough about the help Progent provided us during the most fearful time of (our) companyís life. We may have had to pay the Hackers if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and critical servers back faster than 1 week was beyond my wildest dreams. Every single staff member I got help from or texted at Progent was totally committed on getting us working again and was working non-stop to bail us out."

Progent worked together with the client to rapidly understand and assign priority to the critical elements that had to be recovered in order to restart company functions:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To get going, Progent adhered to ransomware event mitigation best practices by halting the spread and performing virus removal steps. Progent then initiated the work of recovering Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the businessesí accounting and MRP system utilized SQL Server, which requires Active Directory for access to the database.

In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery of essential applications. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Folder Files) on team workstations and laptops to recover mail messages. A recent offline backup of the client's accounting/ERP software made it possible to restore these essential programs back available to users. Although a large amount of work was left to recover totally from the Ryuk damage, the most important systems were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer shipments."

Over the next month critical milestones in the restoration project were made through tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were completely recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the user PCs were being used by staff.

"A lot of what was accomplished in the early hours is mostly a blur for me, but our team will not forget the commitment each and every one of your team accomplished to give us our company back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This event was a life saver."

Conclusion
A possible business catastrophe was averted through the efforts of dedicated experts, a broad array of subject matter expertise, and tight teamwork. Although in hindsight the crypto-ransomware penetration described here should have been identified and prevented with up-to-date cyber security solutions and recognized best practices, staff education, and appropriate security procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thank you for making it so I could get some sleep after we got through the most critical parts. All of you did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Albuquerque a range of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to detect zero-day strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and offers a single platform to address the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge tools packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid recovery of vital data, applications and virtual machines that have become unavailable or corrupted due to component breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can provide advanced expertise to configure ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to provide centralized management and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a further level of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, track, enhance and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating complex management processes, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating devices that need critical updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network running at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT personnel and your Progent engineering consultant so that any looming problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save up to 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Albuquerque 24-7 CryptoLocker Cleanup Help, reach out to Progent at 800-993-9400 or go to Contact Progent.