Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses vulnerable to an assault. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict destruction. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with daily unnamed newcomers, not only encrypt on-line files but also infiltrate most configured system protection. Files replicated to cloud environments can also be ransomed. In a poorly architected data protection solution, this can make automated restore operations impossible and basically sets the datacenter back to zero.

Restoring services and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain and clear the virus and to resume mission-critical activity. Since crypto-ransomware needs time to move laterally, assaults are usually sprung during nights and weekends, when penetrations typically take more time to uncover. This multiplies the difficulty of promptly marshalling and coordinating a qualified response team.

Progent provides an assortment of help services for securing businesses from ransomware attacks. Among these are user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with AI technology to rapidly discover and suppress new cyber threats. Progent in addition provides the services of seasoned ransomware recovery professionals with the talent and perseverance to reconstruct a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the essential elements of your Information Technology environment. Absent access to complete system backups, this requires a broad complement of skill sets, top notch project management, and the ability to work 24x7 until the job is finished.

For twenty years, Progent has made available expert Information Technology services for businesses in Akron and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience affords Progent the ability to knowledgably understand necessary systems and integrate the remaining parts of your IT environment following a crypto-ransomware penetration and configure them into an operational system.

Progent's recovery group uses powerful project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT team members to assign priority to tasks and to put critical services back on-line as soon as possible.

Client Story: A Successful Ransomware Virus Recovery
A business contacted Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, possibly adopting algorithms exposed from the U.S. NSA organization. Ryuk attacks specific companies with limited room for disruption and is among the most lucrative versions of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but in the end engaged Progent.


"I cannot speak enough in regards to the care Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the criminal gangs except for the confidence the Progent group provided us. The fact that you could get our messaging and critical applications back quicker than one week was incredible. Every single expert I talked with or texted at Progent was absolutely committed on getting my company operational and was working non-stop on our behalf."

Progent worked together with the client to rapidly determine and prioritize the critical services that needed to be addressed to make it possible to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • MRP System
To begin, Progent followed Anti-virus event response best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the task of restoring Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Exchange email will not function without Windows AD, and the customerís accounting and MRP system used SQL Server, which depends on Active Directory services for authentication to the data.

In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery on mission critical applications. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Data Files) on user workstations and laptops to recover mail information. A recent offline backup of the customerís accounting/ERP systems made it possible to recover these essential applications back online. Although a lot of work remained to recover completely from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the production line operation was never shut down and we delivered all customer shipments."

Over the next couple of weeks key milestones in the restoration process were achieved through close collaboration between Progent team members and the client:

  • Self-hosted web sites were returned to operation with no loss of information.
  • The MailStore Server containing more than four million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were 100% recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops were being used by staff.

"Much of what was accomplished in the early hours is mostly a fog for me, but our team will not soon forget the commitment each and every one of the team accomplished to give us our business back. I have trusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A probable business-ending disaster was dodged by hard-working professionals, a wide range of subject matter expertise, and tight teamwork. Although in retrospect the crypto-ransomware penetration detailed here could have been blocked with advanced security solutions and recognized best practices, team training, and well designed security procedures for data protection and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thank you for letting me get rested after we got through the initial push. All of you did an impressive job, and if any of your team is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Akron a range of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of crypto-ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to address the complete threat lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via leading-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate action. Progent's consultants can also help you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and allows fast restoration of vital files, apps and VMs that have become lost or corrupted as a result of component failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your business-critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security companies to provide web-based control and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of analysis for inbound email. For outbound email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their networking appliances like switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that need important software patches, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so all potential issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For Akron 24-7 Crypto Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.