Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that poses an existential threat for businesses unprepared for an assault. Versions of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and still inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with daily unnamed newcomers, not only do encryption of online data but also infiltrate any accessible system backups. Information synched to cloud environments can also be corrupted. In a vulnerable system, this can make automatic recovery hopeless and effectively sets the entire system back to square one.

Recovering services and information following a crypto-ransomware attack becomes a race against the clock as the targeted business fights to contain the damage and cleanup the ransomware and to restore business-critical operations. Since ransomware needs time to move laterally, assaults are usually launched during weekends and nights, when successful penetrations tend to take longer to notice. This compounds the difficulty of promptly assembling and organizing a qualified mitigation team.

Progent has a variety of services for securing enterprises from ransomware events. Among these are team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with artificial intelligence capabilities to intelligently detect and quarantine day-zero threats. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the skills and perseverance to restore a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed keys to decipher any or all of your files. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the vital elements of your Information Technology environment. Without the availability of full system backups, this calls for a broad range of skill sets, professional team management, and the ability to work 24x7 until the recovery project is complete.

For twenty years, Progent has made available expert IT services for companies in Southlake and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise gives Progent the ability to knowledgably ascertain necessary systems and consolidate the surviving components of your network environment after a ransomware attack and rebuild them into an operational system.

Progent's recovery team of experts deploys powerful project management tools to coordinate the complex recovery process. Progent knows the urgency of working swiftly and in concert with a customerís management and IT team members to prioritize tasks and to get essential applications back online as soon as possible.

Client Case Study: A Successful Ransomware Incident Response
A small business contacted Progent after their company was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state cybercriminals, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk goes after specific organizations with limited room for disruption and is among the most profitable iterations of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago and has around 500 employees. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately made the decision to use Progent.


"I canít say enough in regards to the support Progent gave us during the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group afforded us. That you were able to get our messaging and critical servers back on-line faster than a week was beyond my wildest dreams. Each consultant I worked with or texted at Progent was totally committed on getting our company operational and was working breakneck pace on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the key areas that needed to be restored in order to continue company functions:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To start, Progent followed AV/Malware Processes penetration response industry best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of bringing back online Microsoft Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange email will not operate without Active Directory, and the client's MRP system utilized Microsoft SQL Server, which depends on Windows AD for authentication to the databases.

In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery of mission critical systems. All Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find local OST files (Outlook Email Offline Data Files) on team desktop computers in order to recover mail data. A recent off-line backup of the businesses accounting/ERP software made them able to restore these vital programs back on-line. Although a large amount of work remained to recover totally from the Ryuk attack, the most important services were recovered quickly:


"For the most part, the production line operation never missed a beat and we made all customer sales."

Over the next month critical milestones in the restoration process were accomplished through tight cooperation between Progent team members and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Server exceeding 4 million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were fully restored.
  • A new Palo Alto 850 security appliance was installed.
  • Nearly all of the user PCs were operational.

"Much of what was accomplished during the initial response is nearly entirely a blur for me, but my management will not soon forget the countless hours all of your team put in to give us our business back. I have utilized Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A potential enterprise-killing catastrophe was averted due to top-tier professionals, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus penetration described here should have been disabled with up-to-date cyber security systems and ISO/IEC 27001 best practices, team training, and properly executed security procedures for information backup and proper patching controls, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get rested after we got past the initial push. All of you did an fabulous effort, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Southlake a portfolio of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate next-generation AI technology to detect new variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you prove compliance with legal and industry data protection standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables fast restoration of vital files, applications and VMs that have become lost or damaged as a result of component failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to provide web-based control and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, track, enhance and troubleshoot their networking appliances like switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating tedious network management activities, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that require critical software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your network operating at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so any potential issues can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.
For Southlake 24x7x365 Crypto Recovery Consulting, contact Progent at 800-993-9400 or go to Contact Progent.