Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that presents an enterprise-level threat for businesses unprepared for an assault. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still cause damage. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus frequent as yet unnamed malware, not only do encryption of online data files but also infect any accessible system backups. Information synchronized to cloud environments can also be rendered useless. In a vulnerable environment, it can make any restore operations useless and effectively sets the datacenter back to square one.

Getting back applications and information following a ransomware attack becomes a race against the clock as the targeted organization struggles to contain and clear the crypto-ransomware and to resume business-critical operations. Due to the fact that ransomware needs time to replicate, attacks are frequently sprung on weekends and holidays, when successful attacks in many cases take more time to discover. This multiplies the difficulty of rapidly marshalling and coordinating a qualified response team.

Progent makes available a variety of services for securing businesses from crypto-ransomware events. These include team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security solutions with artificial intelligence capabilities to automatically discover and disable zero-day cyber threats. Progent also offers the services of seasoned ransomware recovery professionals with the skills and commitment to restore a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware event, sending the ransom in cryptocurrency does not guarantee that criminal gangs will return the needed keys to unencrypt all your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the mission-critical parts of your IT environment. Absent the availability of full information backups, this requires a broad range of skill sets, top notch team management, and the willingness to work continuously until the job is done.

For decades, Progent has provided certified expert Information Technology services for businesses in Durham and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of experience provides Progent the skills to quickly identify necessary systems and integrate the remaining pieces of your network system after a crypto-ransomware penetration and assemble them into a functioning system.

Progent's ransomware group utilizes top notch project management systems to coordinate the complex restoration process. Progent appreciates the urgency of working rapidly and in concert with a customerís management and Information Technology staff to prioritize tasks and to put essential systems back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Penetration Restoration
A business contacted Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state hackers, possibly adopting algorithms exposed from Americaís NSA organization. Ryuk goes after specific businesses with limited ability to sustain disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has about 500 staff members. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.


"I canít say enough about the help Progent provided us during the most fearful period of (our) businesses existence. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our e-mail and key applications back on-line in less than one week was amazing. Each expert I interacted with or texted at Progent was amazingly focused on getting our company operational and was working all day and night on our behalf."

Progent worked hand in hand the customer to rapidly assess and assign priority to the critical applications that needed to be restored to make it possible to restart departmental functions:

  • Active Directory
  • Electronic Mail
  • Accounting/MRP
To begin, Progent followed ransomware event response best practices by isolating and cleaning up infected systems. Progent then began the work of rebuilding Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the client's financials and MRP system utilized SQL Server, which needs Active Directory services for authentication to the information.

Within two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then accomplished rebuilding and storage recovery on critical servers. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on user workstations and laptops in order to recover email messages. A not too old offline backup of the businesses accounting/MRP systems made them able to recover these essential programs back servicing users. Although a lot of work needed to be completed to recover totally from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."

Throughout the next few weeks key milestones in the recovery project were accomplished through close collaboration between Progent consultants and the customer:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million historical messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the user workstations were operational.

"A lot of what was accomplished in the early hours is nearly entirely a haze for me, but my management will not soon forget the dedication each of your team put in to help get our business back. I have trusted Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A likely business-killing catastrophe was averted due to top-tier experts, a wide array of technical expertise, and close collaboration. Although in post mortem the crypto-ransomware penetration detailed here should have been blocked with advanced cyber security systems and best practices, team training, and well designed security procedures for information backup and applying software patches, the fact remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), Iím grateful for allowing me to get some sleep after we got past the first week. Everyone did an impressive job, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Durham a range of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize modern artificial intelligence capability to uncover zero-day variants of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including blocking, identification, mitigation, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you demonstrate compliance with legal and industry data protection standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and allows fast restoration of critical data, applications and virtual machines that have become unavailable or corrupted due to component failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's cloud backup consultants can deliver world-class expertise to configure ProSight DPS to to comply with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver centralized management and world-class security for all your email traffic. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter acts as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, track, reconfigure and debug their networking hardware such as routers and switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are always current, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming management activities, WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, locating appliances that require critical updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that any looming problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Durham Crypto Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.