Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses of all sizes unprepared for an assault. Different versions of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict destruction. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as additional unnamed viruses, not only encrypt online data files but also infect all configured system protection mechanisms. Information synched to the cloud can also be encrypted. In a vulnerable data protection solution, this can render automatic restoration impossible and basically sets the entire system back to zero.

Getting back online services and data following a ransomware event becomes a race against time as the victim fights to stop the spread and eradicate the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware takes time to spread, assaults are frequently sprung during weekends and nights, when attacks may take longer to notice. This multiplies the difficulty of quickly mobilizing and coordinating an experienced response team.

Progent provides a variety of solutions for protecting enterprises from ransomware events. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with machine learning technology to rapidly detect and quarantine new cyber threats. Progent also can provide the services of experienced ransomware recovery consultants with the track record and perseverance to re-deploy a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the keys to decipher any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the mission-critical parts of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide range of IT skills, well-coordinated team management, and the ability to work continuously until the recovery project is done.

For decades, Progent has provided certified expert IT services for companies in Harrisburg and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise gives Progent the skills to rapidly identify necessary systems and organize the surviving pieces of your network system following a ransomware penetration and configure them into an operational system.

Progent's recovery group has best of breed project management systems to orchestrate the complicated recovery process. Progent appreciates the importance of working rapidly and in concert with a customerís management and IT staff to prioritize tasks and to put key services back on line as fast as humanly possible.

Client Story: A Successful Ransomware Virus Response
A customer engaged Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of using technology exposed from Americaís NSA organization. Ryuk targets specific businesses with little or no tolerance for operational disruption and is one of the most lucrative examples of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with about 500 employees. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the attack and were encrypted. The client was pursuing financing for paying the ransom (more than $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I cannot thank you enough about the care Progent gave us throughout the most stressful period of (our) businesses existence. We would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. That you were able to get our e-mail system and key servers back on-line sooner than one week was amazing. Every single staff member I got help from or messaged at Progent was urgently focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the mission critical services that needed to be recovered in order to continue departmental functions:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes incident response best practices by isolating and clearing infected systems. Progent then began the task of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the client's accounting and MRP applications used Microsoft SQL, which needs Windows AD for access to the database.

Within two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then completed reinstallations and storage recovery on critical servers. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Offline Folder Files) on various workstations and laptops in order to recover mail messages. A not too old off-line backup of the client's accounting/MRP software made them able to restore these vital programs back online for users. Although major work needed to be completed to recover fully from the Ryuk virus, critical services were returned to operations quickly:


"For the most part, the assembly line operation was never shut down and we made all customer sales."

Over the following few weeks important milestones in the restoration process were achieved through tight cooperation between Progent consultants and the client:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Exchange Server with over 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100% functional.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Ninety percent of the desktop computers were back into operation.

"So much of what transpired in the early hours is nearly entirely a blur for me, but my team will not soon forget the urgency each of your team accomplished to help get our company back. Iíve entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This time was no exception but maybe more Herculean."

Conclusion
A likely business-killing catastrophe was dodged due to top-tier professionals, a broad range of knowledge, and tight teamwork. Although in retrospect the ransomware virus attack described here could have been shut down with advanced security systems and best practices, user training, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, remediation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for letting me get rested after we got past the initial fire. All of you did an incredible job, and if anyone is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Harrisburg a variety of online monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services include modern AI capability to uncover new variants of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to address the entire malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of critical files, apps and VMs that have become lost or damaged as a result of component failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR specialists can deliver advanced support to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to deliver web-based control and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, monitor, enhance and troubleshoot their networking hardware like routers and switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that require important updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT staff and your assigned Progent consultant so that all potential issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to a different hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate up to half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7x365 Harrisburg CryptoLocker Remediation Help, reach out to Progent at 800-993-9400 or go to Contact Progent.