Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that represents an existential danger for businesses vulnerable to an assault. Different versions of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. The latest versions of ransomware such as Ryuk and Hermes, as well as frequent as yet unnamed malware, not only do encryption of on-line files but also infect most accessible system backup. Files synched to cloud environments can also be corrupted. In a poorly architected environment, this can render automatic restore operations impossible and basically knocks the entire system back to square one.

Getting back applications and data following a ransomware intrusion becomes a sprint against the clock as the victim tries its best to contain the damage and clear the virus and to resume mission-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are frequently sprung during nights and weekends, when successful penetrations tend to take longer to uncover. This multiplies the difficulty of quickly assembling and organizing an experienced response team.

Progent provides a variety of support services for securing organizations from ransomware events. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with machine learning technology to rapidly discover and disable zero-day cyber threats. Progent in addition offers the services of experienced ransomware recovery consultants with the skills and commitment to re-deploy a breached system as rapidly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will provide the codes to decipher any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the essential parts of your IT environment. Absent access to full information backups, this requires a broad complement of skill sets, professional team management, and the ability to work non-stop until the job is complete.

For decades, Progent has provided professional IT services for companies in Augusta-Richmond County and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the ability to rapidly determine necessary systems and integrate the surviving pieces of your IT environment after a ransomware attack and rebuild them into an operational system.

Progent's security team uses state-of-the-art project management systems to orchestrate the complicated restoration process. Progent knows the urgency of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get essential applications back on-line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Virus Recovery
A small business hired Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been developed by North Korean state hackers, suspected of adopting techniques leaked from Americaís National Security Agency. Ryuk attacks specific businesses with little or no tolerance for disruption and is one of the most lucrative instances of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with around 500 workers. The Ryuk event had shut down all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end utilized Progent.


"I canít say enough in regards to the support Progent gave us throughout the most fearful period of (our) companyís survival. We would have paid the cyber criminals except for the confidence the Progent team gave us. The fact that you could get our e-mail and key applications back on-line quicker than seven days was earth shattering. Every single expert I interacted with or e-mailed at Progent was urgently focused on getting my company operational and was working 24 by 7 on our behalf."

Progent worked together with the client to quickly assess and prioritize the critical elements that had to be recovered to make it possible to restart business operations:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the task of rebuilding Windows Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without AD, and the client's accounting and MRP system leveraged SQL Server, which depends on Active Directory for authentication to the data.

In less than 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then assisted with setup and storage recovery on mission critical applications. All Exchange schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops in order to recover email information. A not too old offline backup of the customerís accounting software made it possible to return these vital programs back servicing users. Although a lot of work needed to be completed to recover fully from the Ryuk event, critical systems were returned to operations rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer deliverables."

Over the following month critical milestones in the recovery process were completed in tight cooperation between Progent engineers and the client:

  • In-house web applications were restored without losing any information.
  • The MailStore Exchange Server exceeding 4 million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the desktop computers were back into operation.

"A lot of what was accomplished in the initial days is nearly entirely a fog for me, but our team will not soon forget the commitment each and every one of the team accomplished to help get our business back. I have trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."

Conclusion
A possible business-ending catastrophe was avoided by top-tier professionals, a broad range of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here should have been identified and disabled with up-to-date security solutions and recognized best practices, staff training, and properly executed incident response procedures for data backup and applying software patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for allowing me to get rested after we made it over the first week. All of you did an amazing job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Augusta-Richmond County a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize next-generation AI technology to detect new strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the entire threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP environment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid recovery of critical files, applications and VMs that have become lost or corrupted as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to recover your critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security companies to provide web-based control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of inspection for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, enhance and debug their connectivity appliances such as routers, firewalls, and access points as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept updated, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating tedious management activities, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding appliances that need important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management personnel and your Progent consultant so any potential problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect data about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can save as much as 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.
For 24-7 Augusta-Richmond County Crypto Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.