Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an existential danger for businesses vulnerable to an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to inflict destruction. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as daily unnamed newcomers, not only encrypt online data files but also infect many available system protection. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can make any restore operations useless and basically knocks the entire system back to square one.

Restoring applications and data following a ransomware attack becomes a race against the clock as the targeted organization fights to stop the spread and clear the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, penetrations are often sprung on weekends and holidays, when attacks typically take more time to recognize. This compounds the difficulty of quickly marshalling and orchestrating an experienced response team.

Progent makes available a variety of services for securing businesses from crypto-ransomware penetrations. Among these are staff training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with AI capabilities to automatically discover and extinguish day-zero cyber threats. Progent also can provide the services of expert ransomware recovery professionals with the talent and perseverance to restore a compromised environment as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the keys to unencrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the critical elements of your IT environment. Absent access to full information backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the task is over.

For decades, Progent has provided professional Information Technology services for companies in Miami Beach and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to efficiently ascertain necessary systems and integrate the remaining components of your network environment following a ransomware event and assemble them into an operational network.

Progent's recovery team utilizes powerful project management systems to orchestrate the sophisticated restoration process. Progent appreciates the importance of working rapidly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to get the most important services back on line as soon as possible.

Case Study: A Successful Ransomware Incident Recovery
A customer escalated to Progent after their network was attacked by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored hackers, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk attacks specific companies with little room for disruption and is among the most lucrative versions of ransomware viruses. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has around 500 workers. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the attack and were eventually encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end brought in Progent.

"I cannot tell you enough in regards to the help Progent provided us throughout the most critical period of (our) companyís life. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent team provided us. That you were able to get our e-mail and production servers back sooner than 1 week was incredible. Each expert I got help from or e-mailed at Progent was laser focused on getting us operational and was working at all hours on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the mission critical services that had to be recovered in order to resume business operations:

  • Active Directory
  • Electronic Messaging
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then started the work of rebuilding Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not function without AD, and the client's MRP software used Microsoft SQL, which depends on Active Directory for access to the information.

Within two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of mission critical servers. All Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to find local OST data files (Outlook Off-Line Folder Files) on various desktop computers and laptops to recover mail data. A recent offline backup of the client's financials/ERP systems made it possible to restore these vital services back servicing users. Although a large amount of work was left to recover fully from the Ryuk damage, critical systems were restored rapidly:

"For the most part, the production line operation never missed a beat and we delivered all customer deliverables."

Throughout the following few weeks key milestones in the recovery process were achieved in tight collaboration between Progent engineers and the client:

  • In-house web applications were restored without losing any data.
  • The MailStore Server with over 4 million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were fully operational.
  • A new Palo Alto 850 firewall was deployed.
  • Ninety percent of the desktops and laptops were operational.

"A huge amount of what happened in the initial days is nearly entirely a haze for me, but my team will not forget the urgency each of you accomplished to give us our company back. I have been working together with Progent for the past ten years, possibly more, and every time Progent has shined and delivered as promised. This time was the most impressive ever."

A likely business-ending disaster was averted by top-tier experts, a wide range of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware penetration described here should have been blocked with advanced security solutions and ISO/IEC 27001 best practices, user education, and well thought out security procedures for information protection and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and data restoration.

"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get some sleep after we made it through the initial push. Everyone did an fabulous effort, and if anyone is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Miami Beach a variety of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate next-generation AI technology to detect zero-day variants of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to address the complete threat lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you demonstrate compliance with legal and industry data protection standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical data, applications and virtual machines that have become lost or corrupted as a result of hardware failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can provide world-class support to configure ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based management and comprehensive protection for all your email traffic. The hybrid structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of inspection for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their networking hardware like switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating complex network management activities, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require critical software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system operating at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so that all potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to a different hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7/365 Miami Beach Ransomware Recovery Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.