Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that represents an extinction-level threat for businesses vulnerable to an attack. Multiple generations of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and continue to cause damage. The latest strains of ransomware such as Ryuk and Hermes, as well as more unnamed newcomers, not only encrypt online data files but also infect most configured system backups. Data synched to cloud environments can also be corrupted. In a poorly architected data protection solution, it can make any restore operations impossible and basically sets the entire system back to zero.

Getting back online applications and data after a ransomware event becomes a sprint against the clock as the targeted organization fights to stop the spread and eradicate the virus and to resume business-critical activity. Since crypto-ransomware needs time to spread, penetrations are usually launched during nights and weekends, when attacks may take longer to identify. This multiplies the difficulty of quickly mobilizing and organizing a capable response team.

Progent provides a variety of solutions for protecting organizations from ransomware attacks. These include staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with AI technology to quickly discover and quarantine day-zero cyber attacks. Progent also can provide the services of veteran ransomware recovery engineers with the talent and commitment to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Recovery Help
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the needed keys to decipher all your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to re-install the critical components of your IT environment. Absent the availability of complete information backups, this requires a wide range of skills, well-coordinated project management, and the ability to work continuously until the job is done.

For twenty years, Progent has offered expert IT services for companies in Buffalo and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly understand important systems and organize the remaining pieces of your IT environment following a ransomware event and configure them into a functioning system.

Progent's ransomware team of experts deploys top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the urgency of acting swiftly and in concert with a customerís management and IT resources to prioritize tasks and to get critical systems back on-line as fast as possible.

Business Case Study: A Successful Ransomware Attack Restoration
A business engaged Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state cybercriminals, possibly using approaches exposed from the United States National Security Agency. Ryuk goes after specific companies with little room for disruption and is one of the most lucrative examples of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago with around 500 workers. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the intrusion and were damaged. The client considered paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but ultimately called Progent.


"I cannot thank you enough about the support Progent gave us during the most fearful period of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent team afforded us. The fact that you could get our e-mail system and important servers back on-line in less than 1 week was amazing. Every single consultant I got help from or communicated with at Progent was laser focused on getting our system up and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to rapidly understand and assign priority to the mission critical systems that had to be addressed to make it possible to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus penetration response best practices by halting the spread and cleaning systems of viruses. Progent then started the work of restoring Microsoft AD, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL, which depends on Active Directory services for access to the information.

Within two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then accomplished setup and hard drive recovery on critical applications. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on various PCs and laptops in order to recover email data. A not too old off-line backup of the client's accounting software made it possible to return these vital programs back online for users. Although significant work needed to be completed to recover fully from the Ryuk event, essential systems were returned to operations rapidly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer sales."

During the next few weeks important milestones in the restoration process were completed in tight collaboration between Progent consultants and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100 percent functional.
  • A new Palo Alto 850 firewall was installed and configured.
  • Ninety percent of the desktops and laptops were fully operational.

"Much of what occurred during the initial response is mostly a haze for me, but my management will not soon forget the dedication all of the team put in to help get our business back. Iíve trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A probable company-ending disaster was evaded by results-oriented experts, a wide array of knowledge, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware incident detailed here would have been identified and blocked with modern cyber security technology and security best practices, staff education, and appropriate incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we made it through the first week. All of you did an incredible job, and if anyone is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Buffalo a portfolio of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect new strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with government and industry information protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates your backup processes and enables fast recovery of vital files, applications and virtual machines that have become lost or corrupted due to hardware failures, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, and PCI and, whenever needed, can assist you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to provide centralized control and world-class security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept current, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating tedious network management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding devices that need critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management personnel and your assigned Progent consultant so that any looming problems can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your network documentation, you can save up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For Buffalo 24/7 CryptoLocker Recovery Consultants, call Progent at 800-993-9400 or go to Contact Progent.