Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that presents an existential danger for organizations poorly prepared for an assault. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. More recent strains of ransomware such as Ryuk and Hermes, as well as additional as yet unnamed malware, not only encrypt on-line data but also infect all accessible system protection. Information synched to the cloud can also be corrupted. In a vulnerable system, this can make automatic recovery useless and basically sets the datacenter back to zero.

Retrieving programs and information following a ransomware attack becomes a race against the clock as the targeted business tries its best to stop lateral movement and clear the virus and to resume mission-critical activity. Since ransomware takes time to replicate, penetrations are usually sprung on weekends and holidays, when penetrations typically take longer to detect. This compounds the difficulty of promptly mobilizing and orchestrating an experienced response team.

Progent provides an assortment of help services for protecting enterprises from ransomware penetrations. These include team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with machine learning technology to intelligently discover and quarantine new cyber threats. Progent also offers the assistance of veteran ransomware recovery professionals with the skills and perseverance to restore a breached environment as soon as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to decipher any of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the essential parts of your Information Technology environment. Without the availability of full system backups, this calls for a broad complement of skills, professional project management, and the capability to work 24x7 until the job is over.

For two decades, Progent has offered certified expert IT services for companies in Reno and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise affords Progent the ability to rapidly identify important systems and organize the remaining parts of your IT system after a ransomware penetration and configure them into a functioning system.

Progent's security team uses state-of-the-art project management tools to coordinate the complex recovery process. Progent understands the urgency of acting quickly and in concert with a customerís management and IT team members to prioritize tasks and to put essential services back online as soon as humanly possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A customer engaged Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state criminal gangs, possibly using technology leaked from the United States NSA organization. Ryuk targets specific organizations with little room for operational disruption and is among the most profitable iterations of ransomware viruses. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with around 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the attack and were damaged. The client considered paying the ransom (more than $200,000) and hoping for good luck, but ultimately reached out to Progent.


"I cannot thank you enough about the expertise Progent gave us throughout the most critical time of (our) companyís life. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts provided us. That you were able to get our e-mail and critical applications back on-line in less than 1 week was something I thought impossible. Every single person I interacted with or e-mailed at Progent was laser focused on getting us operational and was working non-stop on our behalf."

Progent worked together with the client to quickly understand and assign priority to the mission critical systems that had to be restored in order to continue business operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent followed Anti-virus incident mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then started the task of recovering Microsoft Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange email will not operate without Active Directory, and the customerís financials and MRP applications leveraged Microsoft SQL, which requires Active Directory services for authentication to the databases.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of mission critical systems. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Offline Folder Files) on various PCs in order to recover mail messages. A recent offline backup of the businesses accounting/ERP systems made them able to recover these essential applications back available to users. Although significant work needed to be completed to recover completely from the Ryuk attack, essential services were restored quickly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer shipments."

Throughout the next couple of weeks key milestones in the restoration process were accomplished in close collaboration between Progent engineers and the customer:

  • Internal web sites were restored without losing any data.
  • The MailStore Exchange Server containing more than four million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the user desktops were back into operation.

"So much of what was accomplished in the initial days is mostly a haze for me, but I will not soon forget the urgency all of you put in to give us our company back. Iíve utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A potential business-ending catastrophe was averted due to dedicated experts, a broad array of subject matter expertise, and tight teamwork. Although in post mortem the ransomware virus attack detailed here should have been disabled with advanced cyber security technology and best practices, user training, and well designed security procedures for information protection and applying software patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for allowing me to get rested after we made it past the initial push. All of you did an impressive effort, and if anyone is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Reno a portfolio of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover zero-day variants of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to manage the entire threat lifecycle including filtering, identification, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP environment that addresses your company's specific needs and that helps you prove compliance with legal and industry information security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also help you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery. For a fixed monthly price, ProSight DPS automates your backup activities and allows rapid recovery of vital files, apps and virtual machines that have become unavailable or corrupted as a result of component failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can help you to recover your critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver web-based management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of analysis for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating appliances that need critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent consultant so all potential problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For Reno 24-7 Crypto-Ransomware Recovery Help, reach out to Progent at 800-993-9400 or go to Contact Progent.