Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an existential danger for businesses vulnerable to an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. Modern strains of crypto-ransomware like Ryuk and Hermes, along with more unnamed viruses, not only do encryption of on-line critical data but also infect all available system restores and backups. Information synched to the cloud can also be rendered useless. In a poorly designed environment, this can render any restoration hopeless and effectively knocks the entire system back to square one.

Retrieving programs and data following a crypto-ransomware event becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and remove the ransomware and to restore mission-critical operations. Due to the fact that ransomware takes time to spread, penetrations are usually sprung during nights and weekends, when penetrations may take longer to discover. This compounds the difficulty of rapidly assembling and orchestrating an experienced response team.

Progent makes available a variety of services for securing enterprises from crypto-ransomware penetrations. These include team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence technology to intelligently discover and extinguish new cyber attacks. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery consultants with the track record and commitment to re-deploy a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to decrypt any or all of your files. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the essential parts of your IT environment. Without the availability of full information backups, this calls for a broad complement of skill sets, professional project management, and the capability to work continuously until the job is completed.

For two decades, Progent has made available professional Information Technology services for businesses in Centennial and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience affords Progent the ability to efficiently ascertain critical systems and re-organize the surviving parts of your network system following a crypto-ransomware attack and rebuild them into a functioning network.

Progent's ransomware team of experts uses state-of-the-art project management systems to coordinate the complicated recovery process. Progent understands the urgency of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to put critical applications back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Incident Recovery
A small business escalated to Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean government sponsored hackers, possibly adopting technology leaked from the United States NSA organization. Ryuk targets specific organizations with little ability to sustain operational disruption and is one of the most profitable incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk event had brought down all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately called Progent.


"I cannot say enough in regards to the care Progent gave us throughout the most stressful time of (our) companyís life. We had little choice but to pay the Hackers if not for the confidence the Progent team provided us. That you could get our e-mail and important applications back online quicker than a week was something I thought impossible. Every single staff member I talked with or messaged at Progent was laser focused on getting us restored and was working non-stop to bail us out."

Progent worked hand in hand the customer to quickly identify and assign priority to the most important systems that had to be recovered to make it possible to restart departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent adhered to ransomware event mitigation best practices by stopping the spread and disinfecting systems. Progent then started the steps of recovering Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not function without AD, and the businessesí financials and MRP software used SQL Server, which needs Active Directory for security authorization to the data.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of essential systems. All Exchange ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover mail messages. A not too old off-line backup of the businesses accounting software made them able to recover these required programs back online. Although a large amount of work remained to recover fully from the Ryuk attack, the most important services were recovered rapidly:


"For the most part, the production line operation was never shut down and we delivered all customer orders."

Over the next couple of weeks key milestones in the recovery project were made in close collaboration between Progent engineers and the customer:

  • In-house web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
  • A new Palo Alto 850 firewall was set up.
  • 90% of the user workstations were operational.

"Much of what happened those first few days is mostly a fog for me, but I will not forget the care all of the team put in to give us our company back. Iíve been working with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business extinction disaster was avoided by dedicated experts, a broad range of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident detailed here could have been identified and prevented with current cyber security systems and security best practices, staff education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thank you for allowing me to get some sleep after we made it past the most critical parts. All of you did an amazing job, and if any of your team is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Centennial a range of remote monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services utilize modern AI technology to uncover new variants of crypto-ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight ASM safeguards local and cloud resources and provides a single platform to address the complete malware attack lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates your backup processes and allows rapid recovery of vital data, applications and VMs that have become unavailable or corrupted due to hardware breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to restore your critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security companies to deliver web-based control and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map out, track, enhance and troubleshoot their connectivity hardware like routers and switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating devices that need critical software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so all potential issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save up to 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Centennial 24x7x365 Crypto-Ransomware Cleanup Help, call Progent at 800-993-9400 or go to Contact Progent.