Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an existential threat for businesses poorly prepared for an attack. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to cause harm. The latest strains of crypto-ransomware such as Ryuk and Hermes, plus additional unnamed malware, not only do encryption of online critical data but also infect most available system protection. Information synchronized to cloud environments can also be corrupted. In a poorly designed environment, this can render automatic restoration hopeless and basically sets the entire system back to zero.

Getting back services and data following a crypto-ransomware intrusion becomes a sprint against time as the victim fights to contain the damage and remove the ransomware and to resume mission-critical operations. Since ransomware takes time to replicate, attacks are frequently launched on weekends, when penetrations are likely to take more time to discover. This multiplies the difficulty of rapidly assembling and orchestrating an experienced mitigation team.

Progent provides an assortment of solutions for securing organizations from crypto-ransomware events. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security solutions with AI technology to quickly discover and suppress new cyber attacks. Progent in addition provides the assistance of seasoned crypto-ransomware recovery consultants with the skills and commitment to reconstruct a breached system as urgently as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed keys to decipher all your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the key parts of your IT environment. Absent access to full information backups, this calls for a broad range of IT skills, top notch team management, and the willingness to work continuously until the task is completed.

For two decades, Progent has offered certified expert Information Technology services for businesses in Fort Lauderdale and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise provides Progent the capability to knowledgably understand critical systems and organize the remaining components of your computer network environment following a ransomware penetration and assemble them into an operational system.

Progent's security team of experts has powerful project management tools to orchestrate the sophisticated restoration process. Progent understands the urgency of acting quickly and together with a client's management and IT team members to prioritize tasks and to get critical applications back on line as soon as possible.

Customer Case Study: A Successful Ransomware Incident Restoration
A client engaged Progent after their network was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored cybercriminals, possibly using technology exposed from the United States National Security Agency. Ryuk attacks specific businesses with little room for disruption and is one of the most lucrative instances of ransomware viruses. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago with about 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately called Progent.


"I cannot speak enough in regards to the expertise Progent gave us throughout the most stressful time of (our) companyís existence. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group provided us. That you were able to get our e-mail and important applications back into operation in less than five days was something I thought impossible. Each person I interacted with or texted at Progent was absolutely committed on getting us back online and was working day and night on our behalf."

Progent worked together with the client to quickly understand and prioritize the mission critical areas that needed to be addressed in order to resume departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes event response best practices by halting the spread and performing virus removal steps. Progent then started the task of recovering Microsoft Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the businessesí MRP applications used Microsoft SQL, which requires Active Directory services for security authorization to the information.

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then completed setup and storage recovery of key systems. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Offline Folder Files) on user desktop computers and laptops to recover mail messages. A recent offline backup of the businesses accounting/ERP systems made it possible to restore these required applications back servicing users. Although a lot of work remained to recover totally from the Ryuk event, critical systems were returned to operations rapidly:


"For the most part, the production operation was never shut down and we delivered all customer orders."

Throughout the next couple of weeks important milestones in the recovery process were achieved in tight collaboration between Progent team members and the client:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were completely functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • Nearly all of the user desktops were functioning as before the incident.

"A lot of what occurred during the initial response is mostly a haze for me, but my management will not forget the urgency each of the team accomplished to give us our business back. Iíve been working together with Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was a life saver."

Conclusion
A probable business-killing disaster was dodged with hard-working professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus attack detailed here would have been prevented with current security technology solutions and best practices, user and IT administrator education, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we got over the initial fire. All of you did an impressive job, and if any of your guys is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Fort Lauderdale a variety of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services include modern machine learning technology to uncover new variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to address the complete threat progression including protection, identification, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates your backup processes and allows rapid recovery of vital data, applications and VMs that have become lost or damaged as a result of component failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can provide advanced expertise to configure ProSight Data Protection Services to to comply with regulatory standards such as HIPPA, FINRA, and PCI and, when needed, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to provide centralized management and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, reconfigure and debug their networking appliances such as switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, locating devices that need important updates, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT staff and your Progent consultant so any potential issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Fort Lauderdale 24x7x365 Crypto Remediation Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.