Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an extinction-level threat for businesses poorly prepared for an attack. Multiple generations of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still cause harm. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus additional unnamed newcomers, not only encrypt on-line files but also infiltrate any accessible system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can make automated restore operations useless and basically knocks the network back to zero.

Restoring applications and information after a crypto-ransomware attack becomes a race against the clock as the victim struggles to stop lateral movement and eradicate the ransomware and to resume business-critical operations. Since ransomware requires time to replicate, assaults are frequently launched during weekends and nights, when successful penetrations in many cases take longer to discover. This multiplies the difficulty of promptly assembling and coordinating an experienced mitigation team.

Progent offers a variety of solutions for securing enterprises from ransomware events. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with machine learning technology to quickly detect and suppress zero-day cyber attacks. Progent also offers the assistance of experienced ransomware recovery consultants with the skills and commitment to restore a breached environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will return the codes to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the essential components of your Information Technology environment. Without access to complete information backups, this requires a wide range of IT skills, top notch team management, and the capability to work 24x7 until the task is done.

For decades, Progent has made available expert IT services for companies in Reno and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise gives Progent the capability to rapidly understand important systems and re-organize the remaining parts of your network system following a ransomware penetration and rebuild them into an operational system.

Progent's ransomware team has best of breed project management tools to coordinate the complex restoration process. Progent appreciates the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get critical systems back on-line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A customer escalated to Progent after their network was attacked by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, suspected of using technology exposed from Americaís National Security Agency. Ryuk goes after specific businesses with limited ability to sustain disruption and is one of the most profitable examples of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has around 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the attack and were damaged. The client was evaluating paying the ransom (exceeding $200K) and hoping for the best, but ultimately called Progent.


"I canít thank you enough in regards to the care Progent gave us during the most critical time of (our) companyís existence. We would have paid the criminal gangs except for the confidence the Progent team afforded us. The fact that you were able to get our messaging and essential applications back into operation in less than seven days was incredible. Each expert I worked with or texted at Progent was amazingly focused on getting us restored and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly get our arms around and prioritize the mission critical systems that needed to be addressed to make it possible to continue departmental operations:

  • Active Directory (AD)
  • Email
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by halting the spread and clearing infected systems. Progent then initiated the steps of recovering Microsoft AD, the foundation of enterprise systems built on Microsoft technology. Exchange email will not work without Active Directory, and the businessesí accounting and MRP applications used Microsoft SQL Server, which needs Active Directory services for security authorization to the information.

Within 2 days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery on critical systems. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Email Offline Folder Files) on team desktop computers and laptops to recover email data. A recent off-line backup of the customerís manufacturing software made them able to restore these required applications back online. Although a lot of work was left to recover fully from the Ryuk virus, critical systems were restored rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer shipments."

During the next month key milestones in the restoration project were accomplished in tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Server with over four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user workstations were operational.

"A lot of what happened in the early hours is nearly entirely a fog for me, but my management will not soon forget the urgency all of your team put in to help get our company back. I have trusted Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A probable business disaster was averted by hard-working professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus attack described here would have been identified and prevented with up-to-date cyber security technology and recognized best practices, staff education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for allowing me to get rested after we made it through the most critical parts. Everyone did an incredible effort, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Reno a range of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning technology to uncover new variants of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to manage the entire threat lifecycle including blocking, identification, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry data protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent's consultants can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of critical data, apps and virtual machines that have become unavailable or corrupted due to hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security vendors to deliver centralized control and world-class security for your inbound and outbound email. The hybrid structure of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, enhance and debug their connectivity appliances like switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding appliances that need critical software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your network running efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT staff and your Progent consultant so that all potential issues can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can save as much as half of time spent searching for vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Reno Crypto-Ransomware Remediation Consultants, call Progent at 800-993-9400 or go to Contact Progent.