Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsRansomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses vulnerable to an attack. Versions of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus additional unnamed newcomers, not only do encryption of online data but also infiltrate any available system protection. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can make automated restore operations hopeless and effectively sets the entire system back to zero.

Recovering programs and information after a ransomware event becomes a race against the clock as the targeted organization tries its best to contain and clear the ransomware and to restore business-critical activity. Since ransomware needs time to spread, attacks are frequently launched at night, when penetrations typically take more time to uncover. This multiplies the difficulty of promptly mobilizing and organizing a capable mitigation team.

Progent provides a range of services for securing organizations from ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with machine learning capabilities to automatically detect and disable new threats. Progent in addition offers the services of experienced ransomware recovery professionals with the skills and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not ensure that cyber hackers will respond with the needed codes to unencrypt any or all of your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the mission-critical parts of your Information Technology environment. Without access to complete information backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the task is over.

For two decades, Progent has offered expert IT services for companies in Virginia Beach and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the capability to quickly ascertain critical systems and integrate the surviving pieces of your IT environment following a ransomware event and rebuild them into an operational system.

Progent's ransomware team has top notch project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working swiftly and together with a client's management and Information Technology staff to prioritize tasks and to get essential systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Attack Recovery
A small business escalated to Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, possibly using techniques exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little or no tolerance for operational disruption and is one of the most lucrative instances of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago with about 500 employees. The Ryuk attack had frozen all business operations and manufacturing processes. The majority of the client's backups had been directly accessible at the start of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately called Progent.


"I cannot tell you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent group gave us. That you could get our e-mail system and important applications back into operation quicker than seven days was amazing. Every single person I spoke to or communicated with at Progent was totally committed on getting our system up and was working non-stop on our behalf."

Progent worked together with the client to quickly assess and assign priority to the mission critical applications that had to be restored in order to continue business operations:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the steps of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft technology. Exchange messaging will not work without Windows AD, and the businessesí MRP applications utilized Microsoft SQL, which needs Active Directory for security authorization to the data.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and storage recovery on essential servers. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Data Files) on team desktop computers in order to recover email data. A recent offline backup of the customerís financials/ERP software made them able to restore these required services back available to users. Although major work remained to recover completely from the Ryuk attack, essential services were restored quickly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."

Throughout the next few weeks critical milestones in the recovery process were made in tight cooperation between Progent team members and the client:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over four million archived emails was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the user workstations were fully operational.

"A lot of what went on those first few days is mostly a fog for me, but we will not forget the care each of you accomplished to help get our company back. Iíve trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A likely enterprise-killing disaster was evaded by top-tier experts, a broad array of knowledge, and close teamwork. Although in post mortem the ransomware virus incident described here could have been identified and blocked with modern security technology and ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for data protection and applying software patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we got past the initial fire. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Virginia Beach a portfolio of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning technology to uncover new variants of crypto-ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the entire malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge technologies packaged within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you prove compliance with government and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates your backup activities and allows rapid recovery of vital data, applications and virtual machines that have become unavailable or damaged due to component breakdowns, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can provide world-class expertise to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can help you to restore your business-critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security vendors to provide centralized management and world-class protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps most threats from making it to your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of inspection for inbound email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, reconfigure and debug their networking appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating complex management activities, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating devices that require critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT staff and your Progent engineering consultant so any looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can save up to half of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Virginia Beach 24-7 Crypto Removal Help, contact Progent at 800-993-9400 or go to Contact Progent.