Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyberplague that poses an existential threat for businesses of all sizes unprepared for an assault. Different versions of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict harm. Newer variants of crypto-ransomware such as Ryuk and Hermes, along with frequent as yet unnamed newcomers, not only do encryption of on-line information but also infiltrate most accessible system protection. Data synchronized to cloud environments can also be ransomed. In a poorly designed system, this can render any restoration useless and effectively sets the network back to square one.

Getting back online programs and data after a ransomware event becomes a race against the clock as the targeted organization struggles to stop the spread and cleanup the ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are often sprung on weekends, when successful attacks may take more time to notice. This compounds the difficulty of quickly mobilizing and orchestrating a qualified mitigation team.

Progent offers a variety of services for protecting organizations from ransomware penetrations. Among these are team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with machine learning capabilities to rapidly discover and suppress day-zero threats. Progent in addition provides the assistance of experienced crypto-ransomware recovery engineers with the talent and commitment to re-deploy a breached environment as rapidly as possible.

Progent's Ransomware Restoration Help
After a ransomware penetration, paying the ransom in cryptocurrency does not guarantee that distant criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the critical elements of your Information Technology environment. Absent access to complete information backups, this calls for a wide complement of IT skills, top notch team management, and the ability to work continuously until the job is finished.

For twenty years, Progent has made available professional IT services for businesses in Mobile and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise provides Progent the ability to rapidly identify critical systems and re-organize the surviving components of your network system after a crypto-ransomware attack and assemble them into an operational system.

Progent's security group utilizes powerful project management systems to orchestrate the complex restoration process. Progent appreciates the importance of acting swiftly and in concert with a client's management and Information Technology staff to prioritize tasks and to put the most important services back on line as soon as possible.

Case Study: A Successful Ransomware Penetration Response
A client hired Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored criminal gangs, possibly using approaches leaked from Americaís NSA organization. Ryuk goes after specific organizations with limited tolerance for disruption and is one of the most lucrative versions of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's data backups had been online at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I canít tell you enough about the expertise Progent provided us during the most critical period of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you were able to get our messaging and essential servers back sooner than seven days was something I thought impossible. Each staff member I worked with or texted at Progent was urgently focused on getting our company operational and was working day and night to bail us out."

Progent worked with the customer to rapidly identify and assign priority to the mission critical systems that needed to be restored in order to resume business operations:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent followed Anti-virus penetration response best practices by halting lateral movement and clearing infected systems. Progent then began the process of rebuilding Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the client's MRP applications used Microsoft SQL, which requires Active Directory for security authorization to the databases.

Within 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery of the most important systems. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Data Files) on various PCs in order to recover mail data. A recent off-line backup of the businesses financials/MRP software made them able to restore these required applications back online for users. Although a lot of work remained to recover completely from the Ryuk virus, the most important systems were restored quickly:


"For the most part, the production line operation survived unscathed and we delivered all customer shipments."

During the following few weeks important milestones in the recovery process were achieved in close cooperation between Progent team members and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Server with over 4 million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were completely operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the user PCs were back into operation.

"So much of what transpired those first few days is mostly a blur for me, but we will not forget the urgency each of the team accomplished to give us our business back. Iíve been working together with Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible business-ending catastrophe was dodged by hard-working experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in retrospect the ransomware incident described here should have been identified and prevented with current security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well designed security procedures for data backup and applying software patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thank you for letting me get rested after we got over the first week. All of you did an impressive effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Mobile a portfolio of remote monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation AI technology to uncover new strains of crypto-ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight ASM safeguards local and cloud resources and provides a single platform to address the complete threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your organization's unique needs and that allows you prove compliance with government and industry data protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of vital data, apps and VMs that have become lost or corrupted due to component breakdowns, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class support to set up ProSight DPS to to comply with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map out, track, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are kept current, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates alerts when problems are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network running efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so all looming problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate up to 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 Mobile Ransomware Removal Support Services, contact Progent at 800-993-9400 or go to Contact Progent.