Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyberplague that represents an extinction-level danger for businesses vulnerable to an attack. Versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and still cause havoc. Recent strains of ransomware like Ryuk and Hermes, along with frequent unnamed viruses, not only encrypt on-line data but also infect all accessible system backups. Information synchronized to cloud environments can also be ransomed. In a poorly architected environment, this can render automated restoration hopeless and basically knocks the datacenter back to square one.

Getting back on-line applications and information following a ransomware outage becomes a sprint against time as the targeted organization tries its best to contain and clear the crypto-ransomware and to resume enterprise-critical activity. Because ransomware requires time to spread, assaults are usually sprung on weekends and holidays, when penetrations tend to take longer to identify. This multiplies the difficulty of rapidly marshalling and orchestrating a qualified response team.

Progent offers an assortment of solutions for securing organizations from crypto-ransomware events. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with AI technology to intelligently identify and disable new cyber attacks. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the skills and commitment to restore a breached environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware event, sending the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the keys to decipher any of your information. Kaspersky determined that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the critical components of your IT environment. Without the availability of full information backups, this requires a wide complement of IT skills, professional team management, and the capability to work 24x7 until the job is done.

For twenty years, Progent has provided professional IT services for businesses in Greensboro and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the skills to knowledgably ascertain critical systems and organize the remaining pieces of your network system after a ransomware attack and assemble them into an operational network.

Progent's recovery team uses powerful project management tools to orchestrate the complex restoration process. Progent understands the urgency of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to put key applications back on-line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Attack Recovery
A client escalated to Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is one of the most profitable versions of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's data protection had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but in the end brought in Progent.


"I cannot thank you enough in regards to the care Progent provided us during the most stressful time of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and important applications back quicker than seven days was something I thought impossible. Every single person I worked with or texted at Progent was hell bent on getting our system up and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the most important areas that needed to be restored in order to continue departmental functions:

  • Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To get going, Progent followed ransomware incident mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the work of bringing back online Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businessesí MRP applications leveraged Microsoft SQL Server, which requires Windows AD for security authorization to the data.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then completed setup and hard drive recovery of the most important systems. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Offline Folder Files) on user PCs in order to recover mail information. A recent offline backup of the customerís financials/MRP software made it possible to restore these vital programs back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk event, essential systems were recovered rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer deliverables."

Over the next few weeks important milestones in the restoration project were achieved in close collaboration between Progent team members and the client:

  • Internal web applications were restored without losing any data.
  • The MailStore Exchange Server with over four million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were completely recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user desktops and notebooks were fully operational.

"A huge amount of what occurred in the early hours is nearly entirely a fog for me, but we will not soon forget the commitment each of the team accomplished to give us our company back. I have been working with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable business catastrophe was evaded by hard-working professionals, a wide array of knowledge, and close teamwork. Although in analyzing the event afterwards the ransomware virus penetration described here should have been prevented with modern cyber security systems and security best practices, user training, and properly executed security procedures for information backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get some sleep after we made it past the initial fire. Everyone did an incredible effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Greensboro a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services incorporate modern machine learning capability to uncover new strains of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. For a low monthly cost, ProSight DPS automates your backup processes and allows fast restoration of vital data, apps and VMs that have become lost or corrupted as a result of hardware failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical data. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver centralized management and world-class protection for your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, monitor, enhance and debug their connectivity appliances like routers, firewalls, and access points plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, copies and manages the configuration of almost all devices on your network, tracks performance, and sends notices when issues are discovered. By automating complex management processes, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding devices that require important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by checking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT staff and your Progent consultant so any looming issues can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.
For Greensboro 24/7/365 CryptoLocker Repair Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.