Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that represents an existential danger for businesses unprepared for an attack. Versions of crypto-ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause havoc. Newer versions of ransomware such as Ryuk and Hermes, plus daily as yet unnamed viruses, not only encrypt online critical data but also infect many available system protection mechanisms. Files replicated to cloud environments can also be rendered useless. In a vulnerable data protection solution, it can make automated recovery useless and effectively knocks the network back to square one.

Recovering services and data following a ransomware outage becomes a sprint against time as the targeted organization fights to contain and remove the ransomware and to resume enterprise-critical operations. Because ransomware takes time to replicate, penetrations are usually sprung at night, when successful penetrations are likely to take more time to identify. This multiplies the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.

Progent has a range of solutions for protecting organizations from ransomware penetrations. Among these are team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with artificial intelligence technology to rapidly detect and extinguish new cyber threats. Progent in addition can provide the assistance of expert ransomware recovery professionals with the talent and commitment to restore a compromised network as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware attack, sending the ransom in cryptocurrency does not ensure that cyber criminals will return the needed codes to unencrypt any of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be around $13,000. The alternative is to re-install the essential components of your IT environment. Without the availability of complete system backups, this requires a wide complement of skills, top notch project management, and the willingness to work continuously until the task is finished.

For twenty years, Progent has made available certified expert IT services for companies in Southlake and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise gives Progent the skills to knowledgably identify necessary systems and organize the surviving components of your network environment after a ransomware event and assemble them into an operational network.

Progent's ransomware group deploys top notch project management systems to coordinate the complicated recovery process. Progent knows the urgency of working rapidly and together with a customerís management and Information Technology team members to assign priority to tasks and to get key applications back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Incident Restoration
A customer escalated to Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored hackers, possibly using approaches exposed from Americaís NSA organization. Ryuk seeks specific companies with little or no tolerance for operational disruption and is among the most lucrative incarnations of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately engaged Progent.


"I cannot thank you enough in regards to the expertise Progent gave us during the most critical period of (our) businesses existence. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group afforded us. The fact that you could get our e-mail system and production servers back quicker than a week was beyond my wildest dreams. Every single expert I worked with or texted at Progent was amazingly focused on getting us restored and was working all day and night to bail us out."

Progent worked hand in hand the customer to rapidly assess and prioritize the most important applications that had to be restored in order to restart departmental operations:

  • Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent followed Anti-virus incident mitigation best practices by stopping lateral movement and disinfecting systems. Progent then started the task of recovering Windows Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the businessesí MRP system utilized SQL Server, which needs Active Directory services for access to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery on critical systems. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Off-Line Folder Files) on team PCs to recover mail messages. A not too old offline backup of the client's accounting systems made them able to return these required applications back online. Although significant work was left to recover totally from the Ryuk attack, core services were restored rapidly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer deliverables."

During the next month critical milestones in the restoration project were accomplished in tight cooperation between Progent engineers and the client:

  • Internal web applications were restored without losing any information.
  • The MailStore Exchange Server exceeding 4 million historical messages was spun up and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Ninety percent of the desktops and laptops were operational.

"Much of what was accomplished during the initial response is mostly a fog for me, but my management will not soon forget the dedication all of the team put in to help get our company back. I have been working with Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely business catastrophe was dodged through the efforts of hard-working experts, a broad array of subject matter expertise, and close teamwork. Although in post mortem the ransomware attack described here should have been blocked with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed incident response procedures for backup and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for allowing me to get some sleep after we got over the most critical parts. Everyone did an incredible effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Southlake a portfolio of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services include next-generation artificial intelligence technology to uncover new strains of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely get by legacy signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to automate the complete threat progression including blocking, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that meets your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also assist you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates your backup processes and enables rapid restoration of critical files, apps and virtual machines that have become unavailable or corrupted due to hardware failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to configure ProSight DPS to to comply with regulatory requirements like HIPPA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide centralized management and world-class security for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of inspection for incoming email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map, monitor, enhance and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management processes, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating devices that need important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT personnel and your Progent consultant so that any potential issues can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can save up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Find out more about ProSight IT Asset Management service.
For Southlake 24x7 CryptoLocker Remediation Experts, call Progent at 800-993-9400 or go to Contact Progent.