Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that presents an existential danger for businesses poorly prepared for an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional as yet unnamed viruses, not only do encryption of online files but also infect all configured system restores and backups. Files synched to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, it can make automated recovery impossible and effectively sets the datacenter back to square one.

Getting back on-line services and information after a crypto-ransomware event becomes a sprint against time as the victim struggles to contain and eradicate the crypto-ransomware and to resume mission-critical operations. Since ransomware needs time to replicate, penetrations are frequently sprung at night, when attacks may take longer to notice. This compounds the difficulty of promptly assembling and coordinating a capable response team.

Progent offers a variety of help services for securing organizations from crypto-ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security appliances with AI technology to quickly identify and suppress new cyber attacks. Progent also offers the assistance of veteran crypto-ransomware recovery professionals with the track record and perseverance to reconstruct a breached network as quickly as possible.

Progent's Ransomware Restoration Services
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the keys to decrypt all your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the mission-critical elements of your IT environment. Absent access to full information backups, this calls for a broad range of skills, top notch project management, and the willingness to work continuously until the task is completed.

For twenty years, Progent has made available certified expert IT services for companies in Albuquerque and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience provides Progent the skills to quickly ascertain necessary systems and consolidate the remaining components of your network system following a ransomware penetration and assemble them into an operational system.

Progent's recovery team of experts uses top notch project management tools to orchestrate the complicated restoration process. Progent knows the urgency of acting swiftly and in unison with a customerís management and Information Technology staff to prioritize tasks and to get essential systems back on-line as fast as possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A business engaged Progent after their network was attacked by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored hackers, suspected of using technology leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little room for disruption and is among the most lucrative incarnations of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the attack and were encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and hoping for good luck, but ultimately brought in Progent.


"I canít speak enough in regards to the support Progent gave us during the most stressful period of (our) companyís survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and important servers back into operation quicker than five days was beyond my wildest dreams. Every single expert I interacted with or communicated with at Progent was hell bent on getting our system up and was working breakneck pace to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the most important systems that had to be restored to make it possible to restart business operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident response best practices by stopping lateral movement and clearing infected systems. Progent then initiated the steps of recovering Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's accounting and MRP applications used Microsoft SQL Server, which requires Active Directory services for authentication to the database.

In less than 2 days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery on the most important applications. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Off-Line Data Files) on various PCs and laptops in order to recover mail information. A not too old offline backup of the customerís financials/ERP systems made it possible to return these vital services back on-line. Although major work was left to recover fully from the Ryuk attack, the most important services were recovered rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer deliverables."

Over the next couple of weeks critical milestones in the recovery project were completed in close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were completely restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Ninety percent of the user PCs were functioning as before the incident.

"Much of what was accomplished in the initial days is mostly a haze for me, but my management will not soon forget the dedication each and every one of your team put in to give us our business back. I have entrusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A likely company-ending catastrophe was averted due to top-tier professionals, a wide array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware penetration detailed here would have been identified and blocked with up-to-date security systems and ISO/IEC 27001 best practices, team training, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), Iím grateful for letting me get some sleep after we got over the initial push. All of you did an incredible job, and if anyone is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Albuquerque a range of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with government and industry data security standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also help your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of critical files, applications and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to deliver web-based control and comprehensive security for all your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their networking hardware such as routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, copies and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding devices that require important software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your IT system running efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT personnel and your Progent engineering consultant so any potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Read more about ProSight IT Asset Management service.
For Albuquerque 24/7 Ransomware Recovery Consulting, contact Progent at 800-993-9400 or go to Contact Progent.