Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an extinction-level threat for businesses vulnerable to an assault. Different versions of crypto-ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus more unnamed viruses, not only do encryption of online files but also infiltrate all available system backups. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly designed system, it can make automated restoration impossible and basically knocks the datacenter back to square one.

Recovering programs and data following a ransomware event becomes a sprint against time as the targeted organization fights to contain the damage and remove the crypto-ransomware and to resume mission-critical operations. Because ransomware needs time to spread, attacks are frequently launched on weekends and holidays, when successful attacks tend to take longer to identify. This multiplies the difficulty of promptly marshalling and coordinating an experienced mitigation team.

Progent makes available an assortment of help services for protecting enterprises from crypto-ransomware attacks. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with artificial intelligence capabilities to intelligently detect and suppress new cyber threats. Progent in addition provides the assistance of expert ransomware recovery engineers with the track record and commitment to re-deploy a compromised system as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed codes to unencrypt any or all of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the vital components of your Information Technology environment. Absent access to complete data backups, this calls for a wide complement of skill sets, professional project management, and the ability to work non-stop until the job is finished.

For decades, Progent has made available professional Information Technology services for businesses in Fort Wayne and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably determine important systems and organize the remaining components of your Information Technology system after a ransomware attack and assemble them into an operational network.

Progent's recovery team of experts uses top notch project management systems to coordinate the complicated recovery process. Progent appreciates the importance of working rapidly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get key applications back on line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Response
A business escalated to Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state hackers, possibly using algorithms exposed from Americaís National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I cannot say enough about the support Progent gave us throughout the most stressful time of (our) companyís existence. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent group provided us. That you could get our e-mail system and essential applications back quicker than seven days was something I thought impossible. Each expert I interacted with or texted at Progent was absolutely committed on getting us back on-line and was working 24/7 to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the mission critical applications that needed to be addressed to make it possible to restart business operations:

  • Active Directory
  • Electronic Messaging
  • Accounting/MRP
To start, Progent followed ransomware penetration mitigation industry best practices by isolating and cleaning systems of viruses. Progent then started the steps of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the client's MRP system leveraged Microsoft SQL Server, which needs Windows AD for security authorization to the database.

In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then accomplished setup and storage recovery of mission critical systems. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Offline Folder Files) on various workstations in order to recover mail messages. A not too old off-line backup of the client's financials/MRP software made it possible to restore these required applications back servicing users. Although significant work was left to recover totally from the Ryuk attack, essential services were restored quickly:


"For the most part, the production manufacturing operation survived unscathed and we made all customer orders."

Throughout the following couple of weeks important milestones in the restoration project were accomplished in tight collaboration between Progent consultants and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were completely operational.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what occurred in the early hours is nearly entirely a haze for me, but our team will not forget the commitment each and every one of your team accomplished to help get our business back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A possible enterprise-killing catastrophe was averted by results-oriented professionals, a broad range of technical expertise, and tight teamwork. Although in retrospect the ransomware incident described here should have been identified and stopped with modern cyber security technology solutions and NIST Cybersecurity Framework best practices, user training, and well designed incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for making it so I could get some sleep after we got past the initial push. Everyone did an fabulous effort, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Fort Wayne a range of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services utilize modern artificial intelligence technology to uncover new variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to automate the complete threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end solution for secure backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates your backup activities and allows rapid recovery of critical files, apps and virtual machines that have become lost or damaged due to hardware failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR consultants can deliver world-class expertise to configure ProSight DPS to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to restore your business-critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security vendors to provide web-based control and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and troubleshoot their connectivity appliances like switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that need important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT staff and your Progent consultant so any looming problems can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Fort Wayne 24x7 Crypto-Ransomware Cleanup Services, contact Progent at 800-993-9400 or go to Contact Progent.