Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an existential threat for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict havoc. Recent strains of ransomware like Ryuk and Hermes, as well as more unnamed viruses, not only do encryption of on-line information but also infect any available system backups. Information synched to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can render automatic restore operations useless and effectively knocks the datacenter back to zero.

Getting back programs and data after a ransomware intrusion becomes a sprint against time as the victim fights to contain the damage and clear the crypto-ransomware and to resume mission-critical activity. Since crypto-ransomware takes time to replicate, penetrations are often launched on weekends, when penetrations in many cases take more time to identify. This compounds the difficulty of quickly marshalling and organizing a qualified mitigation team.

Progent makes available an assortment of support services for protecting businesses from ransomware attacks. Among these are team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with artificial intelligence technology to quickly identify and disable day-zero cyber attacks. Progent in addition can provide the assistance of veteran ransomware recovery consultants with the skills and perseverance to restore a compromised system as quickly as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed codes to decrypt any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the key parts of your Information Technology environment. Absent access to complete data backups, this requires a wide range of skill sets, professional project management, and the ability to work 24x7 until the job is finished.

For decades, Progent has offered certified expert IT services for companies in Appleton and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience gives Progent the skills to quickly understand important systems and organize the surviving components of your network system after a crypto-ransomware event and assemble them into a functioning system.

Progent's recovery team uses state-of-the-art project management tools to coordinate the sophisticated recovery process. Progent knows the importance of working rapidly and together with a customerís management and IT team members to prioritize tasks and to get the most important applications back on line as fast as possible.

Case Study: A Successful Crypto-Ransomware Virus Restoration
A business hired Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state hackers, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk targets specific businesses with limited ability to sustain disruption and is among the most profitable incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area and has around 500 workers. The Ryuk attack had paralyzed all business operations and manufacturing processes. The majority of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but ultimately brought in Progent.


"I cannot say enough in regards to the expertise Progent provided us during the most critical time of (our) businesses existence. We would have paid the hackers behind this attack if not for the confidence the Progent group afforded us. The fact that you were able to get our messaging and essential applications back sooner than one week was something I thought impossible. Each expert I talked with or texted at Progent was urgently focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked with the customer to rapidly identify and assign priority to the essential services that needed to be addressed in order to continue company functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent followed ransomware penetration mitigation industry best practices by isolating and cleaning systems of viruses. Progent then started the steps of recovering Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Windows AD, and the customerís MRP system used SQL Server, which needs Windows AD for security authorization to the information.

In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then accomplished reinstallations and storage recovery on mission critical systems. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Off-Line Folder Files) on team desktop computers to recover email data. A recent offline backup of the businesses accounting systems made it possible to recover these required programs back available to users. Although significant work was left to recover completely from the Ryuk event, critical services were recovered quickly:


"For the most part, the production line operation survived unscathed and we made all customer shipments."

Over the following couple of weeks key milestones in the recovery project were accomplished in close collaboration between Progent consultants and the client:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • 90% of the desktops and laptops were functioning as before the incident.

"So much of what occurred in the early hours is nearly entirely a fog for me, but we will not forget the urgency each of the team accomplished to give us our business back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A possible business-killing disaster was evaded through the efforts of dedicated professionals, a broad array of knowledge, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here would have been disabled with current security systems and ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for data protection and applying software patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for allowing me to get rested after we made it over the most critical parts. All of you did an fabulous job, and if anyone is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Appleton a variety of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize next-generation AI technology to detect zero-day strains of crypto-ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the complete threat lifecycle including filtering, detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP deployment that addresses your company's specific needs and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent's consultants can also help you to set up and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates your backup processes and allows fast restoration of critical data, applications and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can provide advanced expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to provide web-based control and comprehensive security for all your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device provides a further layer of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, monitor, enhance and debug their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, locating devices that require critical software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT staff and your assigned Progent consultant so any looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Appleton 24x7 Crypto-Ransomware Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.