Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict destruction. Recent versions of crypto-ransomware such as Ryuk and Hermes, along with more as yet unnamed malware, not only encrypt online critical data but also infect most accessible system restores and backups. Information synched to the cloud can also be encrypted. In a poorly designed data protection solution, it can make automated restoration useless and effectively sets the datacenter back to square one.

Recovering services and data following a crypto-ransomware event becomes a sprint against time as the targeted organization tries its best to stop the spread and eradicate the ransomware and to resume business-critical activity. Since ransomware takes time to spread, assaults are usually launched on weekends, when successful attacks typically take more time to recognize. This multiplies the difficulty of promptly marshalling and coordinating an experienced mitigation team.

Progent has a range of services for securing organizations from ransomware events. These include team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with machine learning capabilities to intelligently discover and extinguish day-zero cyber threats. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the talent and commitment to restore a compromised network as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to decipher any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the mission-critical elements of your IT environment. Without access to complete system backups, this calls for a wide range of skill sets, well-coordinated team management, and the capability to work non-stop until the task is completed.

For decades, Progent has offered certified expert Information Technology services for companies in Fort Wayne and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise provides Progent the skills to knowledgably identify important systems and re-organize the remaining parts of your computer network environment following a ransomware event and assemble them into an operational network.

Progent's security team of experts uses state-of-the-art project management systems to coordinate the complex restoration process. Progent understands the urgency of working rapidly and in concert with a customerís management and IT team members to prioritize tasks and to put the most important services back on-line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A business sought out Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, possibly using algorithms exposed from Americaís NSA organization. Ryuk goes after specific organizations with limited room for disruption and is one of the most profitable instances of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago with about 500 workers. The Ryuk attack had brought down all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the intrusion and were destroyed. The client considered paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.


"I canít speak enough in regards to the support Progent provided us throughout the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group afforded us. The fact that you could get our messaging and essential applications back in less than one week was amazing. Each expert I talked with or texted at Progent was hell bent on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the client to quickly determine and assign priority to the essential applications that had to be recovered in order to resume company operations:

  • Active Directory
  • Email
  • Accounting/MRP
To begin, Progent adhered to ransomware incident mitigation industry best practices by isolating and disinfecting systems. Progent then started the steps of recovering Windows Active Directory, the core of enterprise systems built on Microsoft Windows technology. Exchange messaging will not work without AD, and the customerís MRP software used Microsoft SQL, which depends on Windows AD for security authorization to the database.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery of the most important servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Offline Folder Files) on various PCs in order to recover email information. A recent offline backup of the businesses accounting software made it possible to recover these vital services back available to users. Although significant work was left to recover fully from the Ryuk event, core systems were restored rapidly:


"For the most part, the production operation survived unscathed and we delivered all customer sales."

During the next few weeks critical milestones in the restoration process were accomplished in close cooperation between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the desktops and laptops were operational.

"So much of what happened in the initial days is nearly entirely a fog for me, but our team will not forget the care all of your team put in to give us our business back. Iíve been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A potential enterprise-killing catastrophe was dodged due to results-oriented professionals, a broad range of knowledge, and tight teamwork. Although upon completion of forensics the ransomware penetration described here should have been stopped with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well designed security procedures for information backup and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get rested after we made it past the first week. All of you did an incredible job, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Fort Wayne a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to detect new variants of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. For a low monthly rate, ProSight DPS automates your backup processes and allows fast recovery of critical files, applications and VMs that have become unavailable or corrupted as a result of component breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can assist you to restore your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized management and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, monitor, optimize and debug their connectivity hardware like switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex network management processes, WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, finding appliances that need important updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system running at peak levels by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent consultant so any potential issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can save up to 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For Fort Wayne 24/7 Crypto-Ransomware Repair Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.