Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict destruction. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with additional as yet unnamed viruses, not only do encryption of online files but also infect most accessible system protection. Files synchronized to cloud environments can also be encrypted. In a poorly designed data protection solution, this can render automated recovery impossible and effectively knocks the entire system back to square one.

Getting back online programs and information after a ransomware event becomes a sprint against time as the targeted organization struggles to contain and eradicate the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware takes time to replicate, assaults are frequently launched during nights and weekends, when attacks typically take more time to notice. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable response team.

Progent offers a variety of services for protecting businesses from crypto-ransomware events. These include staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with machine learning capabilities to quickly identify and quarantine day-zero cyber attacks. Progent also provides the assistance of experienced ransomware recovery consultants with the track record and commitment to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will return the codes to unencrypt any or all of your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to re-install the mission-critical components of your Information Technology environment. Without access to essential data backups, this calls for a broad range of skills, top notch team management, and the capability to work 24x7 until the recovery project is complete.

For decades, Progent has offered certified expert Information Technology services for businesses in Raleigh and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise gives Progent the capability to quickly understand important systems and consolidate the surviving components of your IT system following a ransomware attack and assemble them into an operational network.

Progent's ransomware team has top notch project management tools to coordinate the complex restoration process. Progent knows the urgency of acting quickly and together with a customerís management and IT resources to prioritize tasks and to get critical systems back online as fast as humanly possible.

Case Study: A Successful Ransomware Virus Response
A business contacted Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, possibly using technology leaked from the U.S. National Security Agency. Ryuk targets specific companies with little ability to sustain operational disruption and is among the most lucrative iterations of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and praying for the best, but in the end utilized Progent.


"I cannot tell you enough in regards to the support Progent provided us throughout the most stressful time of (our) companyís survival. We may have had to pay the Hackers if it wasnít for the confidence the Progent team gave us. That you were able to get our messaging and important applications back sooner than five days was amazing. Every single consultant I got help from or communicated with at Progent was totally committed on getting us back on-line and was working 24 by 7 on our behalf."

Progent worked together with the client to rapidly identify and assign priority to the key services that needed to be recovered to make it possible to resume company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the process of rebuilding Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not operate without Windows AD, and the businessesí accounting and MRP system utilized SQL Server, which depends on Active Directory for security authorization to the information.

Within two days, Progent was able to restore Active Directory to its pre-attack state. Progent then assisted with reinstallations and storage recovery on essential systems. All Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Off-Line Folder Files) on user desktop computers in order to recover email information. A recent off-line backup of the customerís accounting/ERP software made them able to return these required services back online for users. Although significant work was left to recover completely from the Ryuk damage, critical systems were returned to operations rapidly:


"For the most part, the production line operation did not miss a beat and we made all customer orders."

Throughout the next month key milestones in the recovery process were completed in close cooperation between Progent team members and the customer:

  • Internal web sites were restored without losing any data.
  • The MailStore Server with over four million archived messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully functional.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the desktop computers were functioning as before the incident.

"A huge amount of what happened that first week is nearly entirely a fog for me, but my management will not soon forget the urgency each of the team put in to give us our business back. I have been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A probable business-ending disaster was averted by results-oriented experts, a broad range of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus penetration described here could have been disabled with advanced security solutions and ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for data protection and applying software patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thanks very much for letting me get some sleep after we got over the initial fire. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Raleigh a portfolio of online monitoring and security assessment services designed to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation AI technology to uncover new strains of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and enables fast recovery of vital files, applications and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to deliver web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, enhance and debug their networking appliances such as switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management processes, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding devices that need important updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT management staff and your Progent engineering consultant so that any potential problems can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Raleigh 24/7 Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.