Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that presents an existential threat for organizations unprepared for an attack. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and still cause destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily as yet unnamed malware, not only do encryption of on-line data files but also infect any available system backups. Files synched to off-site disaster recovery sites can also be corrupted. In a poorly designed system, this can make automated restoration hopeless and effectively knocks the entire system back to zero.

Getting back programs and data following a crypto-ransomware event becomes a race against time as the targeted business fights to stop the spread and remove the ransomware and to resume enterprise-critical operations. Because ransomware requires time to move laterally, attacks are frequently sprung on weekends, when successful attacks tend to take more time to detect. This multiplies the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent provides a range of support services for securing organizations from crypto-ransomware attacks. These include team member education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence technology to intelligently detect and extinguish day-zero cyber threats. Progent also can provide the assistance of expert ransomware recovery professionals with the talent and perseverance to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to decipher any of your files. Kaspersky ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the vital components of your IT environment. Absent access to essential data backups, this requires a wide complement of skill sets, top notch project management, and the capability to work continuously until the recovery project is complete.

For two decades, Progent has made available certified expert Information Technology services for businesses in Greensboro and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise gives Progent the capability to rapidly determine necessary systems and integrate the remaining components of your Information Technology environment after a ransomware attack and rebuild them into a functioning network.

Progent's ransomware team of experts utilizes state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of acting swiftly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put the most important applications back on-line as fast as humanly possible.

Case Study: A Successful Ransomware Attack Response
A business sought out Progent after their network was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean government sponsored criminal gangs, suspected of adopting approaches exposed from the United States National Security Agency. Ryuk goes after specific businesses with little tolerance for operational disruption and is one of the most profitable examples of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I cannot tell you enough in regards to the care Progent gave us throughout the most critical period of (our) companyís life. We may have had to pay the Hackers except for the confidence the Progent group afforded us. The fact that you could get our messaging and production applications back sooner than 1 week was incredible. Every single expert I got help from or e-mailed at Progent was laser focused on getting us back on-line and was working breakneck pace on our behalf."

Progent worked with the customer to rapidly understand and prioritize the most important services that needed to be addressed in order to restart company functions:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes penetration response best practices by stopping lateral movement and performing virus removal steps. Progent then began the steps of bringing back online Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange messaging will not function without Windows AD, and the client's MRP applications leveraged SQL Server, which needs Windows AD for security authorization to the information.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery on needed servers. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Folder Files) on team desktop computers and laptops in order to recover mail messages. A not too old offline backup of the customerís accounting systems made them able to recover these essential services back online for users. Although major work needed to be completed to recover fully from the Ryuk event, essential services were returned to operations rapidly:


"For the most part, the assembly line operation did not miss a beat and we produced all customer orders."

During the following couple of weeks critical milestones in the recovery process were achieved in tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Exchange Server exceeding 4 million archived emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully operational.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the desktops and laptops were fully operational.

"So much of what went on in the initial days is mostly a fog for me, but I will not soon forget the dedication each of your team put in to give us our business back. Iíve entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was a stunning achievement."

Conclusion
A likely business extinction disaster was dodged through the efforts of dedicated professionals, a wide spectrum of knowledge, and close teamwork. Although in retrospect the ransomware incident described here would have been shut down with modern security systems and ISO/IEC 27001 best practices, team education, and well thought out security procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we got through the initial push. All of you did an impressive effort, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Greensboro a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation AI technology to detect zero-day strains of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the complete threat progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your company's unique requirements and that helps you demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and enables rapid recovery of critical files, apps and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever needed, can help you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver centralized control and comprehensive security for all your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map, track, reconfigure and debug their connectivity appliances like switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always updated, captures and manages the configuration information of almost all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Greensboro 24-Hour Crypto Repair Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.