Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses of all sizes vulnerable to an assault. Multiple generations of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict harm. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, plus daily unnamed viruses, not only do encryption of online critical data but also infiltrate many accessible system restores and backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can render automated restoration useless and effectively knocks the entire system back to square one.

Getting back applications and information after a crypto-ransomware outage becomes a sprint against time as the targeted organization fights to contain and remove the virus and to resume business-critical activity. Due to the fact that crypto-ransomware requires time to replicate, attacks are usually launched during weekends and nights, when penetrations typically take longer to recognize. This multiplies the difficulty of quickly assembling and organizing a capable response team.

Progent has a variety of services for securing enterprises from ransomware penetrations. Among these are staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security gateways with artificial intelligence capabilities to intelligently identify and disable day-zero cyber threats. Progent in addition can provide the services of experienced ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware penetration, paying the ransom in cryptocurrency does not ensure that merciless criminals will return the keys to unencrypt all your files. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the mission-critical elements of your IT environment. Absent the availability of complete data backups, this calls for a wide complement of skill sets, professional team management, and the capability to work continuously until the recovery project is done.

For decades, Progent has provided certified expert Information Technology services for companies in Uniondale and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of experience affords Progent the ability to quickly understand important systems and re-organize the remaining components of your network system after a ransomware attack and configure them into a functioning system.

Progent's ransomware team deploys best of breed project management tools to coordinate the complicated restoration process. Progent understands the importance of working swiftly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get critical services back online as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Restoration
A small business hired Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state hackers, possibly using strategies exposed from the United States National Security Agency. Ryuk seeks specific organizations with little tolerance for disruption and is among the most lucrative examples of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the attack and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately called Progent.


"I cannot tell you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses existence. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent experts provided us. That you were able to get our e-mail and key applications back online in less than 1 week was amazing. Each expert I talked with or e-mailed at Progent was laser focused on getting us restored and was working non-stop to bail us out."

Progent worked with the client to quickly determine and prioritize the critical applications that had to be restored in order to continue company operations:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed ransomware incident mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the task of restoring Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the customerís MRP applications leveraged Microsoft SQL, which requires Active Directory for authentication to the data.

In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery of needed systems. All Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Offline Data Files) on various workstations and laptops to recover mail information. A recent off-line backup of the businesses accounting/MRP systems made them able to return these essential services back on-line. Although significant work was left to recover completely from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the production manufacturing operation showed little impact and we made all customer orders."

Throughout the following month key milestones in the restoration process were accomplished through tight collaboration between Progent team members and the client:

  • Internal web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding 4 million archived messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control modules were 100% restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the user workstations were functioning as before the incident.

"So much of what occurred in the early hours is nearly entirely a haze for me, but my team will not forget the dedication each of your team accomplished to help get our business back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This time was a Herculean accomplishment."

Conclusion
A likely business extinction disaster was avoided through the efforts of results-oriented experts, a broad range of IT skills, and close collaboration. Although in retrospect the ransomware penetration detailed here would have been identified and stopped with modern security technology solutions and NIST Cybersecurity Framework best practices, user training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), Iím grateful for allowing me to get some sleep after we got past the most critical parts. Everyone did an amazing job, and if any of your guys is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Uniondale a range of remote monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize modern artificial intelligence technology to detect new variants of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and provides a unified platform to address the entire malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. For a fixed monthly price, ProSight DPS automates your backup processes and allows fast restoration of critical files, apps and virtual machines that have become unavailable or corrupted due to component breakdowns, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver centralized control and comprehensive protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your network firewall. This decreases your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration of almost all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding devices that need critical software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT staff and your assigned Progent engineering consultant so any looming problems can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can save up to 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Read more about ProSight IT Asset Management service.
For 24/7/365 Uniondale Crypto Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.