Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that poses an extinction-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as more as yet unnamed malware, not only encrypt on-line critical data but also infiltrate many available system backups. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, it can make any restore operations hopeless and basically knocks the network back to square one.

Getting back on-line applications and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to contain and clear the crypto-ransomware and to resume mission-critical operations. Since ransomware takes time to move laterally, attacks are frequently sprung at night, when successful penetrations typically take more time to notice. This multiplies the difficulty of quickly assembling and coordinating a qualified mitigation team.

Progent offers an assortment of solutions for protecting organizations from crypto-ransomware attacks. These include team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence technology to intelligently discover and extinguish day-zero threats. Progent also can provide the services of experienced crypto-ransomware recovery consultants with the skills and commitment to rebuild a breached network as quickly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, paying the ransom in cryptocurrency does not guarantee that merciless criminals will return the needed keys to unencrypt any or all of your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the vital components of your IT environment. Absent the availability of essential system backups, this calls for a broad complement of skill sets, top notch team management, and the capability to work continuously until the task is done.

For two decades, Progent has provided expert Information Technology services for businesses in Mobile and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently understand important systems and re-organize the remaining parts of your computer network environment following a ransomware attack and rebuild them into a functioning network.

Progent's security team of experts uses powerful project management systems to orchestrate the complex restoration process. Progent understands the importance of working rapidly and together with a client's management and IT resources to prioritize tasks and to get the most important applications back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Virus Response
A small business contacted Progent after their company was taken over by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored criminal gangs, possibly using techniques exposed from the United States National Security Agency. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is one of the most profitable examples of ransomware malware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago and has around 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200,000) and hoping for the best, but ultimately reached out to Progent.


"I canít speak enough about the help Progent gave us during the most stressful period of (our) businesses life. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and key applications back on-line in less than 1 week was incredible. Each expert I interacted with or communicated with at Progent was laser focused on getting my company operational and was working non-stop to bail us out."

Progent worked hand in hand the client to quickly determine and assign priority to the key systems that had to be recovered in order to restart business operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent followed ransomware penetration response industry best practices by stopping lateral movement and removing active viruses. Progent then began the task of restoring Microsoft AD, the key technology of enterprise systems built on Microsoft technology. Exchange messaging will not work without Windows AD, and the businessesí accounting and MRP applications leveraged SQL Server, which requires Active Directory for authentication to the information.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of mission critical servers. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Offline Folder Files) on team workstations and laptops to recover mail data. A not too old off-line backup of the customerís accounting systems made them able to return these essential services back available to users. Although major work remained to recover fully from the Ryuk event, critical services were restored rapidly:


"For the most part, the production manufacturing operation survived unscathed and we produced all customer sales."

Throughout the following month critical milestones in the recovery project were completed in close cooperation between Progent team members and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million historical emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • 90% of the user desktops and notebooks were operational.

"Much of what transpired that first week is nearly entirely a blur for me, but I will not soon forget the dedication each of you put in to give us our company back. Iíve been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A potential business-killing catastrophe was avoided by top-tier professionals, a wide range of technical expertise, and tight teamwork. Although in hindsight the ransomware virus penetration detailed here should have been shut down with current security technology solutions and best practices, user and IT administrator training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for letting me get some sleep after we made it past the initial fire. Everyone did an impressive effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Mobile a variety of online monitoring and security assessment services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence capability to uncover new variants of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to manage the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of critical data, apps and virtual machines that have become lost or corrupted due to hardware failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight DPS to to comply with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security companies to provide centralized management and comprehensive security for all your email traffic. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to diagram, track, reconfigure and troubleshoot their networking appliances like routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that need critical updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT staff and your assigned Progent consultant so all potential problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For Mobile 24-7 CryptoLocker Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.