Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level danger for organizations poorly prepared for an attack. Different versions of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and continue to cause harm. The latest versions of crypto-ransomware like Ryuk and Hermes, plus frequent unnamed malware, not only encrypt on-line data but also infect many available system backups. Data synchronized to the cloud can also be corrupted. In a vulnerable environment, it can render automated restore operations hopeless and effectively sets the entire system back to square one.

Restoring services and information after a crypto-ransomware event becomes a race against time as the victim struggles to stop lateral movement and cleanup the virus and to resume enterprise-critical activity. Because ransomware requires time to move laterally, attacks are usually launched during weekends and nights, when successful attacks typically take longer to recognize. This multiplies the difficulty of quickly marshalling and coordinating a capable mitigation team.

Progent makes available a range of services for protecting enterprises from ransomware penetrations. Among these are user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with AI technology to intelligently identify and disable day-zero threats. Progent also provides the assistance of veteran ransomware recovery consultants with the skills and perseverance to reconstruct a compromised network as soon as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, sending the ransom in cryptocurrency does not ensure that merciless criminals will return the needed keys to decipher any of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the critical components of your Information Technology environment. Without the availability of full data backups, this calls for a wide complement of IT skills, professional project management, and the capability to work 24x7 until the recovery project is completed.

For twenty years, Progent has provided professional Information Technology services for businesses in Portland and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience gives Progent the ability to quickly identify necessary systems and re-organize the surviving parts of your computer network environment after a crypto-ransomware event and rebuild them into a functioning system.

Progent's security team of experts utilizes best of breed project management applications to coordinate the sophisticated recovery process. Progent knows the importance of working swiftly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put the most important applications back online as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business engaged Progent after their organization was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, possibly using techniques leaked from the U.S. National Security Agency. Ryuk targets specific organizations with little ability to sustain operational disruption and is one of the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago and has around 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately called Progent.


"I canít tell you enough in regards to the expertise Progent gave us during the most stressful time of (our) companyís survival. We may have had to pay the cybercriminals except for the confidence the Progent team afforded us. That you were able to get our e-mail system and key servers back into operation sooner than five days was beyond my wildest dreams. Every single consultant I got help from or e-mailed at Progent was absolutely committed on getting us back on-line and was working 24/7 on our behalf."

Progent worked with the customer to quickly understand and prioritize the mission critical areas that had to be recovered to make it possible to restart departmental functions:

  • Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent followed Anti-virus incident mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the steps of restoring Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís financials and MRP system leveraged Microsoft SQL, which needs Active Directory services for access to the database.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then completed setup and hard drive recovery on needed applications. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Offline Data Files) on user PCs in order to recover mail messages. A not too old off-line backup of the customerís financials/MRP systems made it possible to recover these vital programs back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk attack, the most important systems were returned to operations rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we made all customer orders."

Throughout the next month key milestones in the restoration project were completed in tight collaboration between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Server exceeding four million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were 100% recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the desktops and laptops were back into operation.

"A lot of what was accomplished during the initial response is nearly entirely a blur for me, but I will not soon forget the urgency all of the team accomplished to help get our company back. I have trusted Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This situation was a life saver."

Conclusion
A possible business catastrophe was averted with dedicated professionals, a broad range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware incident detailed here should have been stopped with modern cyber security solutions and recognized best practices, team education, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for letting me get some sleep after we made it over the first week. All of you did an impressive effort, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Portland a portfolio of remote monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to uncover new strains of crypto-ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based machine learning tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the complete threat progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP environment that meets your company's unique requirements and that helps you prove compliance with legal and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. Available at a low monthly price, ProSight DPS automates and monitors your backup processes and enables rapid recovery of vital data, applications and VMs that have become unavailable or corrupted due to hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight DPS to to comply with government and industry regulatory requirements like HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide centralized management and world-class protection for your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a further level of analysis for incoming email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, track, enhance and debug their networking appliances such as routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that need critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management personnel and your assigned Progent consultant so that any potential problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time wasted trying to find vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Portland Ransomware Cleanup Services, reach out to Progent at 800-993-9400 or go to Contact Progent.