Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an existential danger for businesses poorly prepared for an attack. Different iterations of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause destruction. The latest versions of ransomware like Ryuk and Hermes, as well as additional as yet unnamed malware, not only encrypt on-line information but also infect any accessible system backups. Data synched to the cloud can also be ransomed. In a poorly designed data protection solution, it can render automatic restoration impossible and basically sets the entire system back to square one.

Getting back online services and information after a ransomware intrusion becomes a race against time as the victim struggles to contain the damage and remove the ransomware and to resume business-critical activity. Due to the fact that ransomware requires time to replicate, assaults are often sprung during weekends and nights, when attacks in many cases take longer to identify. This multiplies the difficulty of promptly mobilizing and orchestrating a qualified response team.

Progent provides a variety of services for securing businesses from ransomware penetrations. Among these are staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with AI capabilities to rapidly identify and extinguish new threats. Progent also offers the assistance of experienced crypto-ransomware recovery engineers with the talent and commitment to reconstruct a breached system as soon as possible.

Progent's Ransomware Restoration Help
Following a crypto-ransomware event, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the codes to unencrypt any of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the mission-critical components of your IT environment. Absent the availability of complete information backups, this requires a wide range of skill sets, well-coordinated team management, and the capability to work non-stop until the recovery project is completed.

For decades, Progent has made available certified expert IT services for companies in Fort Wayne and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience affords Progent the skills to rapidly understand critical systems and organize the remaining parts of your Information Technology environment after a ransomware attack and rebuild them into a functioning network.

Progent's security group utilizes state-of-the-art project management systems to orchestrate the complex restoration process. Progent knows the importance of acting swiftly and together with a client's management and Information Technology team members to prioritize tasks and to put essential applications back on line as fast as possible.

Business Case Study: A Successful Ransomware Incident Restoration
A small business contacted Progent after their company was crashed by Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean state sponsored criminal gangs, suspected of adopting approaches exposed from the United States NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is one of the most lucrative examples of ransomware malware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk event had paralyzed all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but in the end utilized Progent.


"I cannot speak enough about the help Progent provided us throughout the most fearful period of (our) businesses life. We would have paid the criminal gangs except for the confidence the Progent group gave us. The fact that you could get our messaging and production servers back in less than one week was earth shattering. Each expert I worked with or texted at Progent was amazingly focused on getting our company operational and was working at all hours on our behalf."

Progent worked with the client to rapidly determine and assign priority to the most important systems that had to be restored in order to continue company operations:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To get going, Progent followed AV/Malware Processes event response best practices by isolating and removing active viruses. Progent then started the task of rebuilding Windows Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the client's accounting and MRP system leveraged Microsoft SQL, which depends on Windows AD for authentication to the database.

Within two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery of needed systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers and laptops in order to recover mail information. A recent offline backup of the client's accounting/MRP software made it possible to restore these vital programs back servicing users. Although a lot of work remained to recover totally from the Ryuk event, the most important services were restored rapidly:


"For the most part, the production line operation was never shut down and we produced all customer shipments."

During the next few weeks critical milestones in the restoration project were made in close collaboration between Progent engineers and the client:

  • Internal web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were fully recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user desktops and notebooks were back into operation.

"A lot of what transpired in the initial days is mostly a blur for me, but my team will not soon forget the care each of the team put in to help get our business back. Iíve been working together with Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A potential business-killing disaster was averted due to results-oriented experts, a wide spectrum of subject matter expertise, and tight collaboration. Although in retrospect the crypto-ransomware attack detailed here would have been blocked with current security solutions and best practices, user training, and well designed incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thanks very much for making it so I could get some sleep after we made it through the initial fire. All of you did an fabulous effort, and if anyone is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Fort Wayne a variety of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence technology to uncover new variants of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including filtering, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that allows you prove compliance with legal and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also assist you to set up and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical files, apps and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can provide world-class support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver centralized control and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of analysis for inbound email. For outgoing email, the local gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, enhance and debug their networking appliances like switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating tedious management processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding appliances that require critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent consultant so all looming problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can save up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Fort Wayne CryptoLocker Cleanup Services, reach out to Progent at 800-993-9400 or go to Contact Progent.