Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that presents an existential threat for businesses of all sizes poorly prepared for an assault. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as daily unnamed newcomers, not only encrypt online files but also infect many accessible system backups. Data synchronized to the cloud can also be corrupted. In a vulnerable environment, this can make automated recovery useless and effectively knocks the entire system back to square one.

Getting back online services and information after a ransomware intrusion becomes a race against time as the victim struggles to contain and cleanup the virus and to resume mission-critical activity. Since crypto-ransomware needs time to replicate, assaults are often sprung during nights and weekends, when penetrations in many cases take longer to identify. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.

Progent has a range of services for protecting businesses from ransomware attacks. These include team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security appliances with AI technology to rapidly discover and extinguish day-zero cyber threats. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the talent and perseverance to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the codes to decipher any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the critical components of your IT environment. Absent access to complete data backups, this requires a broad range of skill sets, professional project management, and the willingness to work non-stop until the job is completed.

For decades, Progent has provided certified expert IT services for businesses in Fort Wayne and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience provides Progent the capability to quickly identify critical systems and re-organize the surviving parts of your computer network environment following a ransomware event and configure them into an operational network.

Progent's security team of experts uses top notch project management tools to coordinate the complicated recovery process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put critical applications back on line as fast as possible.

Client Case Study: A Successful Ransomware Attack Response
A customer contacted Progent after their network was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state cybercriminals, possibly using techniques leaked from the U.S. National Security Agency. Ryuk goes after specific organizations with limited ability to sustain disruption and is one of the most lucrative iterations of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the start of the attack and were destroyed. The client considered paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end made the decision to use Progent.


"I cannot speak enough in regards to the support Progent gave us throughout the most fearful time of (our) companyís existence. We most likely would have paid the cyber criminals if not for the confidence the Progent group gave us. That you could get our e-mail system and important servers back on-line sooner than 1 week was incredible. Every single staff member I got help from or communicated with at Progent was urgently focused on getting us back online and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly understand and assign priority to the key services that had to be addressed in order to resume departmental operations:

  • Active Directory (AD)
  • Email
  • MRP System
To start, Progent adhered to Anti-virus penetration mitigation best practices by stopping the spread and clearing up compromised systems. Progent then initiated the steps of recovering Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the client's MRP applications leveraged Microsoft SQL Server, which depends on Windows AD for authentication to the database.

In less than two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then assisted with setup and storage recovery of essential servers. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Data Files) on team PCs in order to recover mail messages. A recent off-line backup of the businesses financials/MRP systems made it possible to recover these essential applications back on-line. Although major work still had to be done to recover fully from the Ryuk virus, the most important services were recovered rapidly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer orders."

Throughout the following month important milestones in the recovery project were made through tight collaboration between Progent consultants and the client:

  • In-house web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control modules were 100 percent recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the desktops and laptops were being used by staff.

"A huge amount of what occurred during the initial response is mostly a fog for me, but I will not soon forget the care all of the team put in to help get our business back. Iíve utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A probable business-killing catastrophe was averted through the efforts of results-oriented experts, a broad range of technical expertise, and tight teamwork. Although in post mortem the ransomware virus attack described here would have been identified and blocked with up-to-date cyber security technology solutions and best practices, user training, and properly executed security procedures for data backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for allowing me to get some sleep after we got through the most critical parts. Everyone did an incredible job, and if anyone is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Fort Wayne a range of online monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to manage the entire malware attack progression including protection, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies packaged within one agent accessible from a unified console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's unique needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight DPS automates your backup processes and allows fast restoration of critical data, apps and virtual machines that have become unavailable or corrupted due to hardware failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's BDR specialists can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, when needed, can help you to restore your business-critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based control and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating devices that need important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT personnel and your assigned Progent consultant so all potential problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can save up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24/7 Fort Wayne Ransomware Remediation Consulting, call Progent at 800-462-8800 or go to Contact Progent.