Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for organizations unprepared for an attack. Multiple generations of ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to inflict destruction. Newer strains of crypto-ransomware such as Ryuk and Hermes, along with daily unnamed viruses, not only encrypt online critical data but also infiltrate any configured system backups. Data synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, this can make automatic recovery hopeless and effectively knocks the network back to square one.

Restoring services and information following a ransomware event becomes a sprint against time as the targeted organization fights to contain and cleanup the crypto-ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to move laterally, attacks are usually sprung on weekends, when penetrations typically take longer to detect. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable response team.

Progent provides a range of help services for securing businesses from ransomware penetrations. Among these are team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security appliances with AI capabilities to automatically detect and quarantine new threats. Progent in addition offers the assistance of experienced crypto-ransomware recovery engineers with the track record and perseverance to rebuild a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the keys to decrypt all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the key components of your IT environment. Without the availability of complete system backups, this calls for a broad complement of IT skills, professional team management, and the capability to work continuously until the recovery project is over.

For two decades, Progent has made available expert Information Technology services for businesses in Chandler and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience gives Progent the skills to efficiently identify critical systems and re-organize the surviving components of your IT system after a ransomware event and configure them into a functioning network.

Progent's ransomware team utilizes best of breed project management applications to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and together with a client's management and Information Technology staff to assign priority to tasks and to put critical systems back on line as soon as possible.

Client Case Study: A Successful Ransomware Virus Restoration
A business hired Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state hackers, possibly adopting techniques exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little tolerance for disruption and is among the most lucrative examples of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.


"I canít tell you enough in regards to the help Progent provided us throughout the most fearful period of (our) companyís existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group gave us. That you were able to get our e-mail system and critical servers back sooner than 1 week was amazing. Every single person I interacted with or texted at Progent was laser focused on getting us restored and was working at all hours to bail us out."

Progent worked together with the client to rapidly assess and assign priority to the most important areas that had to be restored in order to restart company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes event mitigation industry best practices by isolating and removing active viruses. Progent then started the steps of rebuilding Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without AD, and the client's financials and MRP software used Microsoft SQL Server, which requires Active Directory services for authentication to the data.

In less than two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of critical applications. All Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers in order to recover mail messages. A not too old off-line backup of the client's accounting/ERP software made it possible to restore these vital applications back online. Although significant work still had to be done to recover completely from the Ryuk attack, critical services were recovered quickly:


"For the most part, the assembly line operation showed little impact and we produced all customer sales."

During the next few weeks important milestones in the restoration process were achieved in close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100% restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"So much of what transpired in the initial days is mostly a blur for me, but we will not soon forget the care each of your team put in to help get our company back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A probable business-killing disaster was averted by results-oriented professionals, a wide array of IT skills, and tight teamwork. Although in post mortem the ransomware virus penetration described here could have been prevented with up-to-date security solutions and security best practices, team education, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thanks very much for making it so I could get rested after we got past the initial fire. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Chandler a range of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize modern machine learning technology to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely get by legacy signature-based AV tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to manage the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you prove compliance with government and industry information security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery. For a low monthly rate, ProSight DPS automates and monitors your backup processes and enables rapid restoration of vital data, applications and virtual machines that have become lost or damaged due to hardware breakdowns, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can deliver world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, when necessary, can assist you to restore your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to provide web-based control and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further layer of inspection for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their networking hardware like switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating devices that require important updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your Progent consultant so that any potential issues can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect data related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Read more about ProSight IT Asset Management service.
For 24-7 Chandler Ransomware Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.