Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Versions of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. The latest versions of crypto-ransomware such as Ryuk and Hermes, as well as frequent unnamed malware, not only encrypt online critical data but also infiltrate most configured system backup. Information replicated to the cloud can also be corrupted. In a poorly designed system, it can make automatic restoration impossible and basically sets the network back to zero.

Recovering applications and data after a ransomware event becomes a race against time as the victim struggles to stop the spread and clear the virus and to restore business-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, attacks are frequently sprung during nights and weekends, when attacks in many cases take more time to discover. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.

Progent makes available a variety of solutions for securing businesses from ransomware penetrations. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security appliances with AI capabilities to automatically discover and quarantine new threats. Progent in addition can provide the assistance of veteran ransomware recovery professionals with the talent and perseverance to rebuild a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decipher any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to re-install the essential parts of your IT environment. Without access to full information backups, this calls for a wide complement of skill sets, well-coordinated project management, and the ability to work continuously until the recovery project is done.

For two decades, Progent has provided certified expert Information Technology services for companies in Naples and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the capability to efficiently ascertain critical systems and re-organize the remaining components of your computer network system after a ransomware attack and configure them into an operational network.

Progent's recovery team has top notch project management tools to coordinate the complex restoration process. Progent understands the importance of acting rapidly and in unison with a client's management and IT team members to assign priority to tasks and to put the most important services back online as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A client hired Progent after their network system was brought down by the Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored hackers, possibly using techniques leaked from the United States National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is one of the most profitable examples of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the intrusion and were encrypted. The client was evaluating paying the ransom (more than $200K) and hoping for the best, but ultimately engaged Progent.


"I cannot speak enough in regards to the care Progent gave us throughout the most fearful time of (our) companyís life. We most likely would have paid the criminal gangs except for the confidence the Progent team afforded us. That you were able to get our messaging and important applications back into operation faster than a week was beyond my wildest dreams. Each expert I talked with or e-mailed at Progent was urgently focused on getting us back online and was working all day and night to bail us out."

Progent worked together with the customer to quickly understand and prioritize the critical services that had to be addressed to make it possible to restart company operations:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To begin, Progent followed ransomware penetration response best practices by halting the spread and clearing up compromised systems. Progent then began the task of restoring Microsoft AD, the key technology of enterprise networks built on Microsoft technology. Exchange email will not function without Windows AD, and the businessesí financials and MRP system used Microsoft SQL, which depends on Windows AD for access to the database.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Off-Line Data Files) on various desktop computers and laptops in order to recover email information. A recent off-line backup of the customerís accounting/ERP software made it possible to recover these essential programs back on-line. Although significant work still had to be done to recover fully from the Ryuk damage, the most important services were recovered rapidly:


"For the most part, the manufacturing operation survived unscathed and we did not miss any customer orders."

During the following few weeks key milestones in the restoration process were completed through close collaboration between Progent engineers and the client:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server exceeding 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the desktops and laptops were back into operation.

"A lot of what occurred those first few days is mostly a blur for me, but my management will not soon forget the urgency each of you accomplished to help get our business back. Iíve entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a life saver."

Conclusion
A probable business-killing catastrophe was avoided with results-oriented professionals, a wide range of knowledge, and tight teamwork. Although upon completion of forensics the ransomware attack described here should have been stopped with modern cyber security technology solutions and security best practices, user and IT administrator training, and well thought out security procedures for data backup and applying software patches, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thanks very much for making it so I could get some sleep after we got past the initial fire. All of you did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Naples a variety of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI capability to detect zero-day strains of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the entire threat lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent's consultants can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical files, applications and VMs that have become lost or damaged as a result of hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery consultants can provide world-class expertise to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can assist you to recover your critical data. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide centralized management and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a further layer of analysis for inbound email. For outbound email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, track, reconfigure and debug their networking appliances such as switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating complex network management activities, WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that require critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so all looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Naples 24-Hour Crypto Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.