Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level threat for businesses poorly prepared for an assault. Versions of crypto-ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to cause havoc. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent as yet unnamed viruses, not only do encryption of on-line files but also infect most accessible system protection mechanisms. Files replicated to cloud environments can also be ransomed. In a poorly designed system, this can render any restore operations impossible and effectively knocks the datacenter back to zero.

Getting back online programs and data following a ransomware event becomes a race against time as the victim fights to contain the damage and cleanup the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware needs time to spread, assaults are often launched at night, when successful attacks in many cases take more time to discover. This multiplies the difficulty of quickly marshalling and orchestrating a knowledgeable response team.

Progent makes available an assortment of help services for protecting organizations from ransomware attacks. Among these are staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with machine learning capabilities to intelligently discover and quarantine new cyber threats. Progent also provides the services of seasoned ransomware recovery consultants with the track record and commitment to restore a breached system as soon as possible.

Progent's Ransomware Recovery Help
After a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the codes to unencrypt any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the vital components of your IT environment. Without the availability of essential data backups, this calls for a wide range of IT skills, top notch team management, and the willingness to work 24x7 until the task is finished.

For two decades, Progent has offered certified expert Information Technology services for companies in Fargo and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly determine necessary systems and integrate the surviving parts of your computer network environment after a ransomware event and assemble them into a functioning network.

Progent's security team of experts deploys powerful project management applications to coordinate the sophisticated restoration process. Progent knows the importance of acting swiftly and together with a customerís management and Information Technology staff to prioritize tasks and to get critical services back on-line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A small business contacted Progent after their company was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state cybercriminals, possibly adopting strategies leaked from Americaís National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is one of the most lucrative iterations of ransomware viruses. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but ultimately reached out to Progent.


"I canít thank you enough in regards to the expertise Progent gave us during the most critical time of (our) businesses existence. We had little choice but to pay the cybercriminals if not for the confidence the Progent team provided us. That you could get our e-mail system and critical applications back online quicker than 1 week was something I thought impossible. Every single consultant I spoke to or communicated with at Progent was urgently focused on getting my company operational and was working at all hours on our behalf."

Progent worked with the client to rapidly understand and prioritize the most important services that had to be recovered in order to continue business functions:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To get going, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by isolating and clearing infected systems. Progent then started the work of bringing back online Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the customerís financials and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for security authorization to the data.

Within 48 hours, Progent was able to restore Active Directory to its pre-intrusion state. Progent then accomplished setup and storage recovery on mission critical systems. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations in order to recover mail information. A recent offline backup of the businesses accounting systems made them able to recover these required programs back online for users. Although major work needed to be completed to recover totally from the Ryuk attack, the most important systems were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we did not miss any customer sales."

During the following month critical milestones in the restoration process were accomplished in tight cooperation between Progent engineers and the customer:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Ninety percent of the desktops and laptops were fully operational.

"Much of what happened that first week is nearly entirely a blur for me, but my management will not soon forget the care each and every one of the team accomplished to give us our business back. Iíve been working together with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A possible company-ending catastrophe was averted by hard-working professionals, a wide array of IT skills, and close collaboration. Although in retrospect the ransomware virus incident described here would have been disabled with modern cyber security technology solutions and recognized best practices, team education, and properly executed security procedures for data protection and applying software patches, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for making it so I could get rested after we made it past the first week. Everyone did an amazing job, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Fargo a variety of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services include next-generation AI technology to detect zero-day strains of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to automate the complete malware attack lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and enables fast recovery of critical data, apps and VMs that have become lost or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or to both. Progent's cloud backup specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to deliver centralized control and world-class protection for your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, track, enhance and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network maps are always updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding appliances that need important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your Progent engineering consultant so that all potential problems can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7/365 Fargo Crypto-Ransomware Repair Help, contact Progent at 800-993-9400 or go to Contact Progent.