Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an enterprise-level danger for businesses poorly prepared for an assault. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still inflict havoc. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as additional unnamed newcomers, not only do encryption of on-line critical data but also infect most configured system protection mechanisms. Files replicated to the cloud can also be ransomed. In a vulnerable data protection solution, it can make any restoration impossible and effectively knocks the datacenter back to square one.

Getting back on-line applications and data after a ransomware outage becomes a race against the clock as the victim fights to contain the damage and cleanup the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to spread, assaults are often launched during weekends and nights, when penetrations typically take more time to identify. This multiplies the difficulty of rapidly mobilizing and organizing a knowledgeable mitigation team.

Progent has a variety of help services for protecting enterprises from crypto-ransomware events. Among these are staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence capabilities to intelligently discover and extinguish new cyber threats. Progent in addition can provide the assistance of veteran ransomware recovery consultants with the skills and commitment to re-deploy a compromised network as urgently as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will return the keys to decrypt any of your information. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the critical elements of your IT environment. Without the availability of essential system backups, this requires a wide complement of skill sets, top notch team management, and the ability to work non-stop until the task is complete.

For decades, Progent has made available certified expert Information Technology services for businesses in Fargo and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of experience gives Progent the capability to efficiently understand necessary systems and re-organize the surviving parts of your Information Technology environment following a crypto-ransomware penetration and assemble them into a functioning network.

Progent's security team has state-of-the-art project management applications to orchestrate the sophisticated restoration process. Progent understands the importance of working swiftly and in concert with a client's management and IT resources to assign priority to tasks and to put critical systems back online as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Penetration Restoration
A business contacted Progent after their network was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting strategies exposed from the U.S. NSA organization. Ryuk seeks specific companies with limited room for disruption and is one of the most lucrative versions of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has around 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing processes. The majority of the client's system backups had been online at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but in the end brought in Progent.


"I cannot thank you enough in regards to the expertise Progent provided us throughout the most critical time of (our) businesses survival. We had little choice but to pay the cybercriminals except for the confidence the Progent experts provided us. That you were able to get our e-mail and important applications back on-line faster than 1 week was amazing. Every single person I got help from or messaged at Progent was amazingly focused on getting my company operational and was working non-stop on our behalf."

Progent worked hand in hand the client to rapidly assess and prioritize the critical services that needed to be recovered in order to resume business operations:

  • Active Directory (AD)
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed AV/Malware Processes incident response best practices by stopping lateral movement and removing active viruses. Progent then started the process of bringing back online Active Directory, the core of enterprise systems built on Microsoft technology. Exchange messaging will not work without Windows AD, and the businessesí MRP system leveraged Microsoft SQL, which needs Windows AD for security authorization to the databases.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery on needed servers. All Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Off-Line Data Files) on various PCs and laptops to recover mail information. A recent off-line backup of the client's accounting systems made them able to recover these required applications back online. Although a lot of work still had to be done to recover totally from the Ryuk event, critical services were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we made all customer sales."

Over the following couple of weeks key milestones in the restoration project were completed in close cooperation between Progent team members and the client:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server with over four million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were fully operational.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the user PCs were back into operation.

"A lot of what occurred during the initial response is nearly entirely a haze for me, but I will not soon forget the countless hours each of you accomplished to help get our business back. Iíve been working together with Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This event was no exception but maybe more Herculean."

Conclusion
A potential business-killing disaster was evaded due to dedicated professionals, a wide array of technical expertise, and close teamwork. Although upon completion of forensics the ransomware attack described here could have been blocked with advanced security systems and best practices, team training, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has substantial experience in ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for allowing me to get rested after we got past the initial fire. All of you did an incredible job, and if any of your team is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Fargo a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover new strains of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the entire threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables fast recovery of critical data, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, when necessary, can assist you to recover your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to provide centralized management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, monitor, enhance and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates notices when issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT personnel and your Progent consultant so any looming issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24/7/365 Fargo Crypto Recovery Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.