Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that poses an existential threat for organizations unprepared for an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause havoc. More recent variants of ransomware such as Ryuk and Hermes, as well as additional unnamed viruses, not only do encryption of on-line data files but also infiltrate many configured system backup. Information synchronized to cloud environments can also be corrupted. In a vulnerable system, this can make automated restore operations useless and basically sets the entire system back to square one.

Getting back online services and data after a ransomware intrusion becomes a race against time as the targeted organization struggles to stop the spread and cleanup the crypto-ransomware and to restore mission-critical activity. Because crypto-ransomware takes time to replicate, attacks are often launched on weekends, when successful attacks are likely to take more time to identify. This compounds the difficulty of rapidly marshalling and coordinating an experienced mitigation team.

Progent provides an assortment of help services for protecting businesses from ransomware attacks. Among these are team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with artificial intelligence technology to quickly discover and suppress zero-day cyber threats. Progent also provides the services of veteran ransomware recovery consultants with the talent and commitment to restore a breached environment as quickly as possible.

Progent's Ransomware Restoration Services
Following a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the codes to decipher any of your files. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the essential parts of your Information Technology environment. Without the availability of essential information backups, this calls for a wide complement of skill sets, professional project management, and the willingness to work 24x7 until the task is over.

For two decades, Progent has made available certified expert Information Technology services for companies in Harrisburg and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the ability to rapidly understand necessary systems and consolidate the surviving components of your computer network environment following a ransomware attack and configure them into an operational system.

Progent's recovery team of experts deploys best of breed project management tools to coordinate the complex restoration process. Progent knows the importance of acting quickly and in concert with a customerís management and Information Technology resources to prioritize tasks and to get critical systems back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A small business escalated to Progent after their network system was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored hackers, possibly adopting approaches exposed from the U.S. National Security Agency. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago and has about 500 workers. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end reached out to Progent.


"I canít tell you enough about the support Progent gave us during the most critical time of (our) businesses survival. We would have paid the Hackers except for the confidence the Progent team gave us. That you were able to get our messaging and key applications back faster than 1 week was incredible. Each person I talked with or messaged at Progent was hell bent on getting us operational and was working 24 by 7 to bail us out."

Progent worked together with the client to quickly understand and prioritize the mission critical areas that needed to be restored in order to resume company operations:

  • Active Directory (AD)
  • Exchange Server
  • Accounting/MRP
To begin, Progent followed ransomware event response industry best practices by halting the spread and removing active viruses. Progent then started the process of rebuilding Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the client's financials and MRP applications utilized SQL Server, which depends on Active Directory services for authentication to the database.

Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then performed reinstallations and storage recovery of needed servers. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Offline Folder Files) on various workstations in order to recover email messages. A not too old off-line backup of the businesses financials/ERP software made it possible to return these essential applications back online for users. Although significant work needed to be completed to recover fully from the Ryuk event, essential services were restored rapidly:


"For the most part, the assembly line operation did not miss a beat and we delivered all customer sales."

During the following month important milestones in the restoration process were completed in close cooperation between Progent consultants and the client:

  • Internal web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were completely restored.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user desktops were operational.

"So much of what was accomplished during the initial response is mostly a blur for me, but my management will not soon forget the commitment each of your team accomplished to give us our company back. Iíve been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered. This time was a Herculean accomplishment."

Conclusion
A potential company-ending disaster was dodged due to results-oriented professionals, a wide range of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware virus incident described here would have been stopped with up-to-date cyber security systems and ISO/IEC 27001 best practices, team training, and well designed security procedures for backup and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for allowing me to get rested after we made it over the first week. Everyone did an incredible effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Harrisburg a portfolio of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the entire threat lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP environment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates your backup processes and allows rapid recovery of critical data, applications and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can deliver world-class support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPPA, FINRA, and PCI and, when necessary, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to deliver centralized management and comprehensive security for all your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, track, optimize and debug their connectivity appliances like routers, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating appliances that need critical updates, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so all potential issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
For Harrisburg 24/7 Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.