Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that presents an enterprise-level threat for organizations poorly prepared for an attack. Versions of ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict harm. The latest versions of crypto-ransomware like Ryuk and Hermes, plus more as yet unnamed viruses, not only encrypt online data but also infect all configured system restores and backups. Data synched to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, it can render automatic restoration hopeless and effectively sets the network back to square one.

Restoring services and data after a crypto-ransomware outage becomes a sprint against time as the targeted business tries its best to stop lateral movement and clear the ransomware and to restore enterprise-critical operations. Since ransomware takes time to move laterally, penetrations are often sprung during nights and weekends, when attacks tend to take longer to detect. This compounds the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.

Progent provides a variety of help services for protecting enterprises from crypto-ransomware attacks. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security solutions with AI capabilities to quickly discover and suppress zero-day cyber attacks. Progent also provides the services of expert ransomware recovery engineers with the talent and commitment to restore a compromised network as urgently as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the needed keys to unencrypt all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the critical components of your IT environment. Absent access to full system backups, this requires a wide range of IT skills, top notch project management, and the capability to work 24x7 until the job is complete.

For decades, Progent has offered expert IT services for companies in Lynnwood and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the capability to quickly identify important systems and re-organize the remaining pieces of your Information Technology environment following a ransomware penetration and assemble them into a functioning network.

Progent's ransomware group has powerful project management tools to orchestrate the complex recovery process. Progent understands the importance of working rapidly and in concert with a customerís management and Information Technology resources to prioritize tasks and to put essential applications back on-line as fast as possible.

Customer Case Study: A Successful Ransomware Penetration Response
A business hired Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little or no room for operational disruption and is among the most profitable instances of ransomware malware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has about 500 employees. The Ryuk event had paralyzed all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and praying for good luck, but in the end reached out to Progent.


"I cannot tell you enough about the help Progent provided us throughout the most fearful period of (our) businesses existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you were able to get our messaging and essential applications back in less than seven days was earth shattering. Every single person I got help from or e-mailed at Progent was hell bent on getting my company operational and was working at all hours to bail us out."

Progent worked together with the customer to rapidly get our arms around and prioritize the essential elements that needed to be recovered to make it possible to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes event response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the process of rebuilding Microsoft Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not function without Active Directory, and the businessesí financials and MRP system used Microsoft SQL Server, which needs Active Directory services for access to the information.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on mission critical systems. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Off-Line Data Files) on user workstations and laptops in order to recover email information. A recent off-line backup of the businesses accounting/ERP systems made them able to recover these vital services back available to users. Although major work remained to recover completely from the Ryuk event, the most important services were recovered quickly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer deliverables."

Over the next few weeks important milestones in the recovery project were accomplished through close cooperation between Progent team members and the customer:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Server with over 4 million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100 percent recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • Ninety percent of the desktops and laptops were being used by staff.

"A huge amount of what transpired in the early hours is nearly entirely a fog for me, but I will not soon forget the care each of you put in to give us our company back. I have entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was the most impressive ever."

Conclusion
A potential enterprise-killing disaster was dodged through the efforts of results-oriented experts, a wide range of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware attack described here could have been shut down with current security technology and ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for data backup and applying software patches, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for letting me get rested after we made it over the initial push. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Lynnwood a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize modern machine learning capability to uncover zero-day variants of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to manage the entire threat progression including blocking, infiltration detection, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables rapid restoration of vital data, apps and VMs that have become unavailable or damaged due to component failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can provide advanced support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and debug their networking hardware like switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating complex management activities, WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding appliances that require critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your network operating at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT personnel and your Progent engineering consultant so that all potential issues can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect information about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Lynnwood 24-Hour Ransomware Removal Help, reach out to Progent at 800-993-9400 or go to Contact Progent.