Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that poses an extinction-level threat for businesses poorly prepared for an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. More recent versions of ransomware like Ryuk and Hermes, as well as more unnamed viruses, not only do encryption of online data files but also infiltrate most configured system backup. Information replicated to cloud environments can also be corrupted. In a vulnerable system, it can render automatic restoration hopeless and effectively sets the datacenter back to zero.

Getting back applications and information after a crypto-ransomware outage becomes a race against time as the targeted organization tries its best to stop lateral movement and clear the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware takes time to spread, penetrations are usually sprung during nights and weekends, when attacks in many cases take longer to identify. This compounds the difficulty of quickly mobilizing and organizing a knowledgeable response team.

Progent offers a range of solutions for protecting organizations from ransomware events. Among these are team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with machine learning technology to intelligently identify and quarantine new cyber threats. Progent also can provide the assistance of experienced ransomware recovery consultants with the skills and perseverance to rebuild a compromised network as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the codes to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to re-install the vital components of your Information Technology environment. Without the availability of complete system backups, this requires a wide range of skill sets, well-coordinated team management, and the capability to work 24x7 until the recovery project is complete.

For twenty years, Progent has provided expert Information Technology services for businesses in Albany and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience affords Progent the capability to rapidly understand necessary systems and re-organize the surviving parts of your Information Technology environment after a ransomware penetration and assemble them into a functioning network.

Progent's recovery team has powerful project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of working quickly and together with a client's management and Information Technology staff to prioritize tasks and to put the most important applications back on line as soon as humanly possible.

Client Case Study: A Successful Ransomware Virus Recovery
A business sought out Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored cybercriminals, suspected of using strategies leaked from Americaís National Security Agency. Ryuk targets specific companies with little ability to sustain disruption and is one of the most lucrative instances of ransomware viruses. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk intrusion had brought down all essential operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.


"I cannot tell you enough about the support Progent provided us during the most critical period of (our) companyís existence. We may have had to pay the cyber criminals if not for the confidence the Progent group afforded us. That you could get our e-mail and essential servers back on-line in less than seven days was earth shattering. Every single staff member I interacted with or messaged at Progent was hell bent on getting our company operational and was working 24/7 on our behalf."

Progent worked with the customer to quickly identify and prioritize the essential systems that had to be restored to make it possible to continue business operations:

  • Active Directory
  • Microsoft Exchange
  • MRP System
To get going, Progent adhered to Anti-virus penetration response industry best practices by isolating and clearing infected systems. Progent then started the work of rebuilding Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Exchange email will not function without AD, and the client's accounting and MRP system used Microsoft SQL Server, which needs Windows AD for authentication to the databases.

In less than 2 days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then completed rebuilding and storage recovery on mission critical servers. All Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Folder Files) on team workstations to recover mail information. A recent offline backup of the client's financials/MRP systems made it possible to recover these vital services back online. Although a lot of work needed to be completed to recover fully from the Ryuk event, the most important systems were returned to operations rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer orders."

During the following month key milestones in the restoration process were completed through close cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Exchange Server exceeding four million historical messages was spun up and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory modules were 100% restored.
  • A new Palo Alto 850 firewall was brought on-line.
  • Nearly all of the user desktops and notebooks were fully operational.

"A lot of what occurred that first week is nearly entirely a haze for me, but our team will not soon forget the countless hours each and every one of you put in to help get our business back. I have utilized Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This time was a life saver."

Conclusion
A possible company-ending catastrophe was evaded by dedicated professionals, a wide range of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware virus attack detailed here would have been blocked with up-to-date cyber security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed security procedures for information protection and proper patching controls, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we made it past the initial push. Everyone did an fabulous job, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Albany a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include modern machine learning capability to detect zero-day strains of crypto-ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to automate the complete threat progression including blocking, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital data, applications and virtual machines that have become lost or damaged as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver world-class expertise to configure ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to restore your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security vendors to deliver web-based control and world-class security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating complex management processes, WAN Watch can cut hours off common chores like network mapping, expanding your network, finding appliances that need critical software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system operating efficiently by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so all potential issues can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save as much as 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour Albany Crypto Repair Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.