Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that poses an enterprise-level danger for businesses poorly prepared for an assault. Multiple generations of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus more unnamed newcomers, not only do encryption of on-line information but also infiltrate most configured system restores and backups. Files synched to the cloud can also be corrupted. In a vulnerable data protection solution, it can render automatic restoration impossible and basically sets the entire system back to zero.

Restoring programs and information following a crypto-ransomware event becomes a race against the clock as the victim fights to contain the damage and eradicate the ransomware and to resume business-critical operations. Since ransomware requires time to spread, assaults are frequently launched during nights and weekends, when attacks in many cases take longer to detect. This multiplies the difficulty of promptly assembling and coordinating a qualified mitigation team.

Progent provides a range of support services for protecting businesses from ransomware events. These include team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security solutions with AI technology to intelligently identify and disable day-zero cyber threats. Progent also can provide the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decrypt any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the critical components of your IT environment. Without the availability of complete data backups, this requires a broad range of skills, professional team management, and the willingness to work continuously until the job is completed.

For two decades, Progent has made available certified expert IT services for companies in Appleton and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience gives Progent the ability to knowledgably ascertain important systems and re-organize the surviving parts of your Information Technology system after a crypto-ransomware penetration and assemble them into an operational system.

Progent's recovery team of experts has top notch project management systems to coordinate the complicated recovery process. Progent appreciates the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to put essential services back online as soon as possible.

Business Case Study: A Successful Ransomware Penetration Recovery
A client contacted Progent after their network system was attacked by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state hackers, possibly adopting techniques leaked from Americaís NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is one of the most profitable examples of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area with around 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the attack and were encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I canít tell you enough in regards to the support Progent gave us throughout the most critical time of (our) companyís survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our messaging and essential applications back on-line quicker than five days was amazing. Each person I got help from or e-mailed at Progent was amazingly focused on getting our company operational and was working breakneck pace to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the essential areas that needed to be recovered to make it possible to restart company operations:

  • Active Directory
  • Microsoft Exchange Email
  • MRP System
To begin, Progent followed ransomware penetration response best practices by halting the spread and disinfecting systems. Progent then began the task of recovering Microsoft AD, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí MRP applications utilized SQL Server, which requires Active Directory for access to the information.

In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then accomplished rebuilding and storage recovery on the most important servers. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team desktop computers to recover mail information. A not too old off-line backup of the businesses accounting/ERP systems made them able to restore these essential services back online for users. Although major work needed to be completed to recover fully from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer sales."

Over the next few weeks key milestones in the recovery project were completed through close cooperation between Progent team members and the client:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Exchange Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Nearly all of the desktops and laptops were back into operation.

"A huge amount of what was accomplished that first week is mostly a fog for me, but our team will not forget the dedication each of your team accomplished to give us our business back. I have been working with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."

Conclusion
A probable company-ending catastrophe was evaded through the efforts of hard-working professionals, a broad spectrum of technical expertise, and close collaboration. Although upon completion of forensics the ransomware virus attack detailed here should have been identified and blocked with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thanks very much for allowing me to get some sleep after we made it over the initial push. Everyone did an amazing job, and if any of your guys is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Appleton a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence capability to uncover new strains of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your organization's specific requirements and that helps you prove compliance with government and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables fast recovery of critical data, applications and virtual machines that have become lost or corrupted due to component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can deliver advanced support to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading data security vendors to provide web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that network maps are always current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management processes, WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network operating at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management personnel and your assigned Progent consultant so that any looming problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save up to half of time wasted looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For Appleton 24/7/365 Ransomware Repair Support Services, contact Progent at 800-462-8800 or go to Contact Progent.