Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that presents an existential threat for organizations vulnerable to an attack. Different versions of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still cause damage. The latest variants of crypto-ransomware such as Ryuk and Hermes, along with daily unnamed malware, not only encrypt on-line data files but also infect all accessible system protection mechanisms. Information synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, this can render automated recovery impossible and basically sets the entire system back to zero.

Getting back online applications and information following a ransomware outage becomes a race against the clock as the targeted organization struggles to stop the spread and remove the crypto-ransomware and to resume business-critical activity. Because crypto-ransomware needs time to spread, penetrations are frequently sprung on weekends and holidays, when successful penetrations typically take longer to notice. This compounds the difficulty of rapidly marshalling and organizing an experienced mitigation team.

Progent offers a range of support services for securing organizations from ransomware penetrations. These include team education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with machine learning technology to automatically identify and quarantine day-zero cyber threats. Progent also offers the assistance of experienced ransomware recovery engineers with the skills and perseverance to re-deploy a breached network as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt any of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the vital elements of your IT environment. Without the availability of essential system backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work continuously until the recovery project is completed.

For decades, Progent has provided certified expert IT services for companies in Fort Lauderdale and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience affords Progent the skills to knowledgably understand necessary systems and re-organize the surviving components of your Information Technology environment after a crypto-ransomware attack and assemble them into an operational system.

Progent's ransomware team has powerful project management tools to orchestrate the complicated recovery process. Progent knows the importance of working swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to put essential applications back on line as soon as possible.

Case Study: A Successful Ransomware Virus Recovery
A business contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting techniques leaked from the U.S. National Security Agency. Ryuk targets specific organizations with little or no room for disruption and is one of the most profitable instances of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the attack and were destroyed. The client was evaluating paying the ransom (more than $200,000) and hoping for the best, but ultimately utilized Progent.


"I cannot tell you enough in regards to the support Progent gave us during the most critical time of (our) businesses existence. We most likely would have paid the cybercriminals except for the confidence the Progent team afforded us. That you were able to get our e-mail system and key applications back on-line quicker than 1 week was something I thought impossible. Each consultant I talked with or e-mailed at Progent was laser focused on getting us back on-line and was working all day and night to bail us out."

Progent worked with the customer to quickly determine and assign priority to the critical applications that needed to be addressed in order to resume company functions:

  • Active Directory
  • Electronic Mail
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes event mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then began the task of rebuilding Windows Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís MRP system used Microsoft SQL Server, which depends on Windows AD for authentication to the database.

Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then accomplished setup and hard drive recovery of essential systems. All Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Offline Folder Files) on team PCs and laptops in order to recover email data. A not too old offline backup of the client's financials/MRP software made them able to restore these vital services back available to users. Although a large amount of work remained to recover fully from the Ryuk damage, critical services were recovered quickly:


"For the most part, the production operation showed little impact and we delivered all customer orders."

Over the next couple of weeks important milestones in the recovery project were completed through tight cooperation between Progent team members and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Exchange Server exceeding 4 million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the user desktops were back into operation.

"So much of what was accomplished during the initial response is mostly a fog for me, but my management will not forget the urgency each of your team accomplished to give us our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A probable business-ending catastrophe was evaded through the efforts of hard-working professionals, a wide range of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus attack described here could have been prevented with modern security technology and ISO/IEC 27001 best practices, staff education, and well designed security procedures for information backup and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we got through the initial push. All of you did an fabulous effort, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Fort Lauderdale a variety of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern machine learning capability to detect new variants of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's specific needs and that allows you prove compliance with legal and industry data security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate action. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows rapid recovery of critical files, apps and VMs that have become unavailable or damaged as a result of component failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can deliver advanced support to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical data. Find out more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide centralized management and world-class protection for all your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that need critical updates, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management staff and your Progent consultant so all looming problems can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Find out more about ProSight IT Asset Management service.
For 24/7/365 Fort Lauderdale Crypto-Ransomware Recovery Services, contact Progent at 800-993-9400 or go to Contact Progent.