Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an existential danger for businesses of all sizes vulnerable to an attack. Different versions of ransomware like the CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus more as yet unnamed malware, not only do encryption of on-line data but also infect most accessible system protection mechanisms. Data synched to the cloud can also be rendered useless. In a poorly architected data protection solution, this can render automatic recovery hopeless and basically sets the datacenter back to zero.

Getting back on-line services and information following a crypto-ransomware event becomes a sprint against the clock as the targeted business tries its best to contain the damage and remove the crypto-ransomware and to restore business-critical activity. Since ransomware requires time to move laterally, attacks are often sprung at night, when attacks tend to take more time to notice. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent offers a range of help services for securing organizations from ransomware events. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with machine learning technology to quickly detect and quarantine new cyber attacks. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to reconstruct a breached network as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the keys to decrypt all your files. Kaspersky determined that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the critical parts of your Information Technology environment. Absent access to complete information backups, this calls for a broad range of skill sets, professional project management, and the capability to work continuously until the recovery project is done.

For twenty years, Progent has offered certified expert IT services for companies in Wilmington and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience gives Progent the skills to efficiently identify important systems and consolidate the surviving pieces of your IT system after a crypto-ransomware penetration and assemble them into an operational network.

Progent's ransomware group deploys powerful project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to get critical applications back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Penetration Response
A customer hired Progent after their network system was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, suspected of using strategies leaked from the United States National Security Agency. Ryuk attacks specific companies with limited ability to sustain disruption and is among the most lucrative incarnations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago and has around 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but ultimately utilized Progent.


"I canít say enough about the expertise Progent gave us throughout the most stressful period of (our) businesses life. We would have paid the cybercriminals if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and key applications back into operation in less than one week was something I thought impossible. Every single expert I got help from or messaged at Progent was laser focused on getting us working again and was working day and night to bail us out."

Progent worked together with the customer to quickly assess and assign priority to the essential services that had to be restored to make it possible to resume business operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event mitigation best practices by halting the spread and disinfecting systems. Progent then started the task of rebuilding Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customerís financials and MRP software used Microsoft SQL Server, which needs Windows AD for authentication to the databases.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery on needed applications. All Exchange data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Off-Line Data Files) on various PCs and laptops in order to recover email information. A not too old offline backup of the businesses accounting systems made them able to recover these required applications back online. Although significant work was left to recover totally from the Ryuk virus, critical services were returned to operations quickly:


"For the most part, the production manufacturing operation survived unscathed and we delivered all customer deliverables."

Throughout the next couple of weeks key milestones in the recovery project were made in close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control functions were 100% operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the desktop computers were fully operational.

"So much of what was accomplished that first week is nearly entirely a haze for me, but I will not soon forget the care each of the team put in to give us our business back. Iíve utilized Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."

Conclusion
A potential business-ending disaster was evaded by hard-working experts, a broad range of IT skills, and close teamwork. Although in hindsight the crypto-ransomware penetration described here could have been stopped with modern cyber security systems and security best practices, user training, and well designed security procedures for backup and proper patching controls, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for letting me get rested after we got through the initial fire. All of you did an incredible job, and if anyone is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Wilmington a portfolio of online monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services include modern artificial intelligence capability to uncover new strains of crypto-ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates your backup activities and allows fast restoration of vital files, apps and VMs that have become lost or damaged due to hardware breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can provide advanced support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can assist you to restore your critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver web-based management and world-class protection for your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, track, reconfigure and debug their networking hardware like routers, firewalls, and load balancers plus servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming network management activities, WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your Progent consultant so that all potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7x365 Wilmington Crypto-Ransomware Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.